[clug] OT: Hard disk search

Martijn van Oosterhout kleptog at svana.org
Wed May 14 17:07:32 EST 2003

On Wed, May 14, 2003 at 03:44:53PM +1000, Antti.Roppola at brs.gov.au wrote:
> I have been reading about this and it's a lot trickier than it
> first appears.
> As well as being technically competent in searching the drive,
> you must demonstrate that at every stage the contents of the drive
> were protected from tampering. Even the slightest doubt and its
> value as evidence can be compromised. As well as finding the data,
> you probably also must demonstrate where it came from:

Ok, first step, do a direct disk-to-disk copy (using dd) onto another disk
then lock the original up. Maybe also go through the disk and get filenames
and md5 sums of every file. Other than that I have no real help, but it may
help to prove there was no tampering. If possible, don't even boot from the
disk as that changes things too, boot off a CD.

But really, get some professionals in.

Hope this helps,
Martijn van Oosterhout   <kleptog at svana.org>   http://svana.org/kleptog/
> "the West won the world not by the superiority of its ideas or values or
> religion but rather by its superiority in applying organized violence.
> Westerners often forget this fact, non-Westerners never do."
>   - Samuel P. Huntington
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.samba.org/archive/linux/attachments/20030514/d903fc38/attachment.bin

More information about the linux mailing list