[clug] OT: Hard disk search
mikal at stillhq.com
Thu May 15 19:13:22 EST 2003
On Thu, 15 May 2003, Martijn van Oosterhout wrote:
> On Thu, May 15, 2003 at 03:33:19PM +1000, Antti.Roppola at brs.gov.au wrote:
> > BTW, the comment elsewhere in this thread about not mounting the
> > disk and accidentally changing its contents such as by touching
> > date stamps (and therefore compromising the evidence) are the sorts
> > of integrity issues I was thinking about.
> Mounting read-only is a good idea. Note that some hard drives can be
> switched into read-only mode (hdparm -r). Some may even have a jumper.
Isn't there an ATA lock command?
> > And; digging through a hard drive is no different to digging through
> > someone's trash. It's just that most jury members understand wheelie
> > bins more than they understand things like FAT32 and dd. :o)
> However, you have the added advantage that you can clone the bin (possibly
> several times) and store the original. Once you've torn apart the clone you
> can go back and confirm the existance in the original.
There was an FBI report slashdotted a while back where they discussed
their imaging techniques. It was part of a law suit.
> In theory you can just dd if=<source disk> of=<dest disk>. As long as the
> dest disk is larger the result should be perfectly mountable in any machine.
dd if=/dev/<whatever> | mail -s "Hello from Canberra" bill.gates at microsoft.com
Michael Still (mikal at stillhq.com) | Stage 1: Steal underpants
http://www.stillhq.com | Stage 2: ????
UTC + 10 | Stage 3: Profit
More information about the linux