[clug] OT: Hard disk search
Antti.Roppola at brs.gov.au
Antti.Roppola at brs.gov.au
Wed May 14 17:44:58 EST 2003
Here's a link that shows some of the care required:
http://www.vogon-computer-evidence.com/forensic_bulletin-23/forensic_bulletin_23_5.htm
The key points are that:
- At no point was the evidence left unsecured or its movements undocumented.
- An image was created using an accredited method and it was the image that
was analysed.
- As well as recovering pictures, they were able to recover enough
information to prove that the defendant *intended* to view the pictures.
Cheers,
Antti
-----Original Message-----
From: Martijn van Oosterhout [mailto:kleptog at svana.org]
Sent: Wednesday, 14 May 2003 5:08 PM
To: James
Cc: linux at samba.org
Subject: Re: [clug] OT: Hard disk search
On Wed, May 14, 2003 at 03:44:53PM +1000, Antti.Roppola at brs.gov.au wrote:
> I have been reading about this and it's a lot trickier than it
> first appears.
>
> As well as being technically competent in searching the drive,
> you must demonstrate that at every stage the contents of the drive
> were protected from tampering. Even the slightest doubt and its
> value as evidence can be compromised. As well as finding the data,
> you probably also must demonstrate where it came from:
Ok, first step, do a direct disk-to-disk copy (using dd) onto another disk
then lock the original up. Maybe also go through the disk and get filenames
and md5 sums of every file. Other than that I have no real help, but it may
help to prove there was no tampering. If possible, don't even boot from the
disk as that changes things too, boot off a CD.
But really, get some professionals in.
Hope this helps,
--
Martijn van Oosterhout <kleptog at svana.org> http://svana.org/kleptog/
> "the West won the world not by the superiority of its ideas or values or
> religion but rather by its superiority in applying organized violence.
> Westerners often forget this fact, non-Westerners never do."
> - Samuel P. Huntington
More information about the linux
mailing list