[clug] OT: Hard disk search

[Antti.Roppola at brs.gov.au]

Here's a link that shows some of the care required:

http://www.vogon-computer-evidence.com/forensic_bulletin-23/forensic_bulletin_23_5.htm

The key points are that:
	- At no point was the evidence left unsecured or its movements undocumented.
	- An image was created using an accredited method and it was the image that
	  was analysed.
	- As well as recovering pictures, they were able to recover enough
	  information to prove that the defendant *intended* to view the pictures.

Cheers,

Antti

-----Original Message-----
From: Martijn van Oosterhout [mailto:kleptog at svana.org]
Sent: Wednesday, 14 May 2003 5:08 PM
To: James
Cc: linux at samba.org
Subject: Re: [clug] OT: Hard disk search


On Wed, May 14, 2003 at 03:44:53PM +1000, Antti.Roppola at brs.gov.au wrote:
> I have been reading about this and it's a lot trickier than it
> first appears.
> 
> As well as being technically competent in searching the drive,
> you must demonstrate that at every stage the contents of the drive
> were protected from tampering. Even the slightest doubt and its
> value as evidence can be compromised. As well as finding the data,
> you probably also must demonstrate where it came from:

Ok, first step, do a direct disk-to-disk copy (using dd) onto another disk
then lock the original up. Maybe also go through the disk and get filenames
and md5 sums of every file. Other than that I have no real help, but it may
help to prove there was no tampering. If possible, don't even boot from the
disk as that changes things too, boot off a CD.

But really, get some professionals in.

Hope this helps,
-- 
Martijn van Oosterhout   <kleptog at svana.org>   http://svana.org/kleptog/
> "the West won the world not by the superiority of its ideas or values or
> religion but rather by its superiority in applying organized violence.
> Westerners often forget this fact, non-Westerners never do."
>   - Samuel P. Huntington