Doing a disk dd with *NIX or a bitwise ghost does not compromise the data (other than in the quantum sense of not being able to observe an electron without changing it's orbit). If this is the rigor you would impose then any copying including your "specialized police hardware", would fall under the same restriction. Although I am not familiar with this hardware, most law inforcement I know use Encase, a $30K dd with a few analysis tools thrown in.
Curt Purdy CISSP, GSEC, MCSE+I, CNE, CCDA Information Security Engineer DP Solutions ---------------------------------------- If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked. -- White House cybersecurity adviser Richard Clarke -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Alexandre Dulaunoy Sent: Sunday, August 03, 2003 2:01 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [inbox] [Full-Disclosure] Re: Reacting to a server compromise On 03/Aug/03 12:33 +1000, [EMAIL PROTECTED] wrote: > On Sun, 3 Aug 2003 01:38 am, Jennifer Bradley wrote: > > > If this happens again, I would probably make a copy of the hard drive, > > or at the very least the log files since they can be entered as > > evidence of a hacked box. > > Under most jurisdictions, an ordinary disk image produced by Norton Ghost etc > using standard hardware is completely inadmissible in court, as it is > impossible to make one without possibly compromising the integrity of the > evidence. The police etc use specialised hardware for making such copies, > which ensures that the disk can't have been altered. Getting evidence by reading (via any software or hardware solution) may compromise the integrity of the evidence. I would like to know the difference between for example a (s)dd and the specialised hardware that you talk about ? Do you have any references ? Preserving the scene integrity is really difficult. You have to minimize the intrusion to the scene. On computer hardware is really difficult... Using a hardware device that doesn't change too much the scene is difficult... (think of a compromised disk firmware). And the worst, sometimes we see something that doesn't exist at all. Forensic analysis is the land of illusion... just my .02 EUR. adulau -- -- Alexandre Dulaunoy (adulau) -- http://www.foo.be/ -- http://pgp.ael.be:11371/pks/lookup?op=get&search=0x44E6CBCD -- "Knowledge can create problems, it is not through ignorance -- that we can solve them" Isaac Asimov _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html