[clug] OT: Hard disk search

Michael Still mikal at stillhq.com
Thu May 15 19:13:22 EST 2003

On Thu, 15 May 2003, Martijn van Oosterhout wrote:

> On Thu, May 15, 2003 at 03:33:19PM +1000, Antti.Roppola at brs.gov.au wrote:
> > BTW, the comment elsewhere in this thread about not mounting the
> > disk and accidentally changing its contents such as by touching
> > date stamps (and therefore compromising the evidence) are the sorts
> > of integrity issues I was thinking about.
> Mounting read-only is a good idea. Note that some hard drives can be
> switched into read-only mode (hdparm -r). Some may even have a jumper.

Isn't there an ATA lock command?

> > And; digging through a hard drive is no different to digging through
> > someone's trash. It's just that most jury members understand wheelie
> > bins more than they understand things like FAT32 and dd. :o)
> However, you have the added advantage that you can clone the bin (possibly
> several times) and store the original. Once you've torn apart the clone you
> can go back and confirm the existance in the original.

There was an FBI report slashdotted a while back where they discussed
their imaging techniques. It was part of a law suit.

> In theory you can just dd if=<source disk> of=<dest disk>. As long as the
> dest disk is larger the result should be perfectly mountable in any machine.


dd if=/dev/<whatever> | mail -s "Hello from Canberra" bill.gates at microsoft.com




Michael Still (mikal at stillhq.com) | Stage 1: Steal underpants
http://www.stillhq.com            | Stage 2: ????
UTC + 10                          | Stage 3: Profit

More information about the linux mailing list