[clug] OT: Hard disk search

Martijn van Oosterhout kleptog at svana.org
Thu May 15 19:14:14 EST 2003

On Thu, May 15, 2003 at 03:33:19PM +1000, Antti.Roppola at brs.gov.au wrote:
> BTW, the comment elsewhere in this thread about not mounting the
> disk and accidentally changing its contents such as by touching
> date stamps (and therefore compromising the evidence) are the sorts
> of integrity issues I was thinking about.

Mounting read-only is a good idea. Note that some hard drives can be
switched into read-only mode (hdparm -r). Some may even have a jumper.

> And; digging through a hard drive is no different to digging through
> someone's trash. It's just that most jury members understand wheelie
> bins more than they understand things like FAT32 and dd. :o)

However, you have the added advantage that you can clone the bin (possibly
several times) and store the original. Once you've torn apart the clone you
can go back and confirm the existance in the original.

In theory you can just dd if=<source disk> of=<dest disk>. As long as the
dest disk is larger the result should be perfectly mountable in any machine.

Good luck,
Martijn van Oosterhout   <kleptog at svana.org>   http://svana.org/kleptog/
> "the West won the world not by the superiority of its ideas or values or
> religion but rather by its superiority in applying organized violence.
> Westerners often forget this fact, non-Westerners never do."
>   - Samuel P. Huntington
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.samba.org/archive/linux/attachments/20030515/ee39a360/attachment.bin

More information about the linux mailing list