[clug] OT: Hard disk search

Antti.Roppola at brs.gov.au Antti.Roppola at brs.gov.au
Wed May 14 15:44:53 EST 2003 

I have been reading about this and it's a lot trickier than it
first appears.

As well as being technically competent in searching the drive,
you must demonstrate that at every stage the contents of the drive
were protected from tampering. Even the slightest doubt and its
value as evidence can be compromised. As well as finding the data,
you probably also must demonstrate where it came from:

Say the defendant claims someone stuffed a web page they visit with
something like:
	<IMG src=http://www.naughtysite.com/images/naughty.jpg height=1 width=1>

You'd probably need to retrieve other stuff like logs to prove they
deliberately downloaded the data and that it could not have been placed
on the hard drive without their knowledge (say by a Trojan or another user).

There are FAQs on recovering data, there are weighty tomes on evidence law.

Antti

-----Original Message-----
From: Peter Barker [mailto:pbarker at barker.dropbear.id.au]
Sent: Wednesday, 14 May 2003 2:40 PM
To: James
Cc: linux at samba.org
Subject: Re: [clug] OT: Hard disk search


On Wed, 14 May 2003, James wrote:

> Would anyone be interested, or know someone who would be, in performing a
> very thorough search of a hard disk. We need to give evidence in court, as
> the hard disk is that of a computer alegadly used for child pornography.

Do you want to prove there _is_ something on the disk, or there _isn't_?

It should be relatively easy to prove there _is_ something on disk....

http://cs.anu.edu.au/~bdm/dilugim/moby.html

Apply that at a bit level... take every 5678th bit, wrapping around from
the end of the disk if necessary.... and you get _this_ disturbing JPEG
image.

Now. Perhaps something useful....

I suggest googling for "data recovery australia". That will give you
somebody whose qualifications may actually count for something in court.

> -James

Yours,
--
Peter Barker                          |   N    _--_|\ /---- Barham, Vic
Programmer,Sysadmin,Geek              | W + E /     /\
pbarker at barker.dropbear.id.au         |   S   \_,--?_*<-- Canberra
You need a bigger hammer.             |             v    [35S, 149E]
Our inventory of
"Our inventory of Digital Certificates or Web Server Certificates must be sold"
- Melbourne IT <announcements at melbourneit.com.au>

More information about the linux mailing list