LISTSERV - PCBUILD Archives - LISTSERV.ICORS.ORG

PCBUILD Archives

Personal Computer Hardware discussion List

PCBUILD@LISTSERV.ICORS.ORG

	LISTSERV Archives
	PCBUILD Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Hard Drive forensics
From:	John Chin <[log in to unmask]>
Reply To:	PCBUILD - Personal Computer Hardware discussion List <[log in to unmask]>
Date:	Fri, 16 Mar 2001 00:56:18 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (54 lines)

Mark, Rick and Dave:

Thanks for your observations and analysis. Yes, drive swapping is preferred
but the client (whom I have not met) is a technophobe and there's a dollar
cap on this fishing expedition. I'm doing this mostly out of curiosity.

I will Ghost the drive so I can "re-create" multiple copies of the laptop
and desktop drives in question (for end user investigation, keeping the
"original" virginal). I'll run a parallel laplink cable so I don't have to
open boxes (probably the simplest -- and slowest -- way to Ghost these
computers). I'll boot to DOS on the source, load Ghost and clone the image
to a brand new drive in a removable caddy. Later, I'll burn a copy of the
image across CDRs.

I plan to run Ghost with the -id switch to direct-access image the entire
drive. This allegedly clones every sector and creates an identical
disk-to-disk image. And, thanks Dave, I will see if I still have a Ghost
4.X disk (BTW, was version 4.x was NTFS-able? -- these drives may be such).

I read a forensic article which stated that the problem with Ghost 2000 is
in image restoration. The digital image is perfect but the restoration is
not exact. Ghost apparently reads data from the image file that was copied
from the source drive's partition table and, during the restoration
process, modifies the data to fit the target drive, even when using
identical drives. This changes the partition table so the copy is not
strictly identical, which is not "forensically sound".  Does anyone know if
the latest version of Ghost addresses this issue?

SnapBack DatArrest ($595) is supposed to avoid this problem but I don't
wish to purchase such software for one job based upon suspicion in a civil
context). Alternatively, LINUX has a powerful (and complex) file copy
utility called DD which supposedly copies exact images of drives. I don't
know Linux well enough to try it here (but it is at the top of my "to
learn" list).

The rationale behind a drive image (even if you remove and keep the
original drive) is to preserve a static snapshot of the drive. An image on
a CDR is perishable but intact, while any read/write-able hard drive is
still dynamic and subject to change (the old Heisenberg uncertainty
principle).

Of course, analyzing the drive is the time consuming part... But that's not
my job. For now, I just want to get in, make digital clones of the drives,
get out, and enjoy the remainder of my Saturday. I'll relate my experiences
here if notable.

Yours appreciatively,

John Chin

              The NOSPIN Group is now offering Free PC Tech
                     support at our newest website:
                          http://freepctech.com

ATOM RSS1 RSS2

LISTSERV.ICORS.ORG