Disk cloning for evidence

Printable View

February 23rd, 2006, 01:15 PM
Cemetric

Disk cloning for evidence

Hello all,

I need to take a copy or better yet a "cloning" of a HDD to search for evidence and other things.

Offcourse this needs to be done without touching the timestamps on the original HDD, I'll put the clone back in the machine and take the original along.

Afterwards I'll put it in another machine and copy it again to work of that copy and leave the original alone...

Then I'll hang that copy as a slave and investigate it.

The Computer has Win98 as OS.

Now ...my questions:

1- Does anyone know any good Disk cloning tools or would Symantec Ghost be ok ?

2- What tools do I use for searching the disk for evidence ...It's not hacked ...it's just to see the surfing and chatting habbits of someone. (it's not illegal the pc is not this persons property but from the person that gave me this "job" and is owner of this PC) and confront him/her with it.

3- Does the way I plan to do this look ok to you forensic experts or would you choose another path/way to do things.

Many thanks for any help,

If I need to give more info let me know.
February 23rd, 2006, 01:22 PM
Tiger Shark

This might help.

It's notes I made while reading a forensics book and it lists tools etc. that you should find helpful... Hopefully all the links are still good.
February 23rd, 2006, 02:20 PM
Cemetric

Thanks Tiger Shark

I'm printing it , I'll read it tonight ...might/will get me some ideas on what to do ;)

.C.
February 23rd, 2006, 02:38 PM
nihil

Hi Cemetric ,

Not sure of the relevance to your particular situation, but you might like to consider the legal implications?

Rules for acceptable evidence, witnesses to the process, secure storage of the original media............that sort of thing?

;)
February 23rd, 2006, 02:56 PM
Cemetric

Hey nihil,

Yeah I know ...but it's not going to come that far ...well I will take my precautions ... Just to be sure "I'm" ok ...But this is just a "small" dispute between an employer and an employee ... The user is not complying to "regulations" ..As far as there are any :rolleyes:

Thanks though ..for the heads-up :)

.C.
February 23rd, 2006, 03:08 PM
Eyecre8

To add to what nihil said:

Quote:

Not sure of the relevance to your particular situation, but you might like to consider the legal implications?

Rules for acceptable evidence, witnesses to the process, secure storage of the original media............that sort of thing?

If this drive that you are imaging is going to be used as real evidence in a court of law, you have to pay SPECIAL attention to handling procedures, chain of custody, and document EVERY little action you take (just like any other sort of evidence). If you neglect to follow even one procedure, it may render any evidence you find worthless and not admisable in the court.

Otherwise, if this is just for learning/practice, I would highly suggest reading a few books (which often include some demo software tools). One of my favorites is 'Computer Forensics: Computer Crime Scene Investigation by John R Vacca.

--->Link to book<---

If you have a few bucks to spare, you may also want to look into Drive Duplicators/imagers.
We use a brand by ICS (Intelligent Computer Systems) called the Imagemaster. Its offers a number of drive copying options. From Sysadmin uses to forensics. Handy tool I tell ya.

ICS Site + Forensics Info
February 23rd, 2006, 04:22 PM
RoadClosed

Perfect opportunity to justify one of these . Something an administrator should not be without if budget affords it. The local law enforcement computer crimes unit I helped set up uses this . Its not just a security tool, it will save your tucas some day. :D
February 23rd, 2006, 06:58 PM
Cemetric

Quote:

Originally posted here by RoadClosed
Perfect opportunity to justify one of these . Something an administrator should not be without if budget affords it. The local law enforcement computer crimes unit I helped set up uses this . Its not just a security tool, it will save your tucas some day. :D

Hmmmm looks very interesting ...but also expensive :D

I'll have to go and look for a tool though ...maybe if I ask real nice :D

.C.
February 23rd, 2006, 07:08 PM
zencoder

Maybe you should try some of the free Live-CD images listed here. Somewhere I have an old "DoD Live-CD" image that was given to me. It had the DoD version of DD, and a VERY minimal framework for a linux bootable CD. Basically, it had enough tools to allow one to boot to this disc, mount a USB or IEEE1394 external hard disk, and dump the entire local hard disk image to the external. Then you don't even have to swap out the drives or anything. That image is pretty old, but the theory is sound. ANY of the live-CDs in the other thread should allow you to do this.
February 23rd, 2006, 07:21 PM
Cemetric

Thanks man ...

I'll definetly check those out ...might be handy ...no fiddling with disks and all ...no danger of destroying the original ...mmmh

Thanks :o

.C.
February 23rd, 2006, 07:30 PM
ByTeWrangler

Greeting's

i've never tried any of the following so I cannot recommend them but you can have a look :

1.FCCU GNU/Linux boot CD 10.0 from the Belgian "Federal Computer Crime Unit"
http://www.lnx4n6.be/index.php?sec=D...ds&page=bootcd

2. Fire from SourceForge
http://fire.dmzs.com/

3.fork from vital data
http://www.vitaldata.com.au/modules/...index.php?id=9

4. http://www.x-ways.net/davory/index-m.html

5. http://www.sleuthkit.org/autopsy/

A GOOD LIST OF TOOLS CAN BE FOUND HERE :
http://www.forensics.nl/toolkits
February 23rd, 2006, 07:40 PM
Cemetric

Man ...good links ... especially the belgian crime unit thing one :D

I'll check them all out ... thanks,

.C.
February 23rd, 2006, 10:23 PM
DjM

I was in a similar situation, where I had to produce evidence re: "child porn". Before I even touched the drive, I called my local law enforcement and consulted with a couple of lawyers. I was informed if I wanted to build a case, and make it stick, the courts would likely only consider it if I used a product called ENCASE . As these types on investigations are few and far between for me I couldn't justify the cost. So I contracted a company that used the product for forensics and went that route. If you feel this issue may end up in front of the courts, you may want to consider this option.

good luck....

Cheers:
February 23rd, 2006, 10:28 PM
Tiger Shark

DJM is absolutely right....

Even if this is an "internal" investigation if it ends up in any form of disciplinary action then the "offender" might take your company to court... At which point your "internal" investigation is elevated to the level of a full blown forensic investigation... Which neither you or I want to be in the witness chair for...

You need to consult with your administration and determine the best course of action... But be up front with them about _your_ limitations... They need that information because they are going to pay the bill if it ends up in court.
February 23rd, 2006, 10:55 PM
nihil

Tiger~ is right................trade unions, industrial tribunals..............whatever............it is a bloody minefield.

You need legal advice, and from a proper lawyer, not some jerk of a manager who knows nothing of the potential complexities.:eek:

The first thing is the AUP...............if that doesn't hold water they are stuffed. You did imply that there were few "formal" policies?

If what has been done is in any way construable as illegal in your part of the world, DO NOT GO NEAR IT unless the competent authorities have been involved, and then you work on THEIR instructions, not those of your managers. It is your career on the line my friend ;)
February 24th, 2006, 07:31 AM
Cemetric

Thanks for all the support ...

The legal matter has been covered since yesterday evening ...I have a relative that is a lawyer... He went out of his way to see what my rights and duties were... So I have that covered now ...

Probably I'll just take the image and have the guy sign me a paper that waves all rights of having me held responsible for any damages, negligence or any other form of wrongdoing or involvement ...the lawyer will draw me up a paper...Then I'll have a look at the image/copy or whatever under the same conditions ...that this is all just non-binding and non-accountable and will not hold up in court if it ever would come to that ...and so on ...

According to my lawyer relative I'm going to be in the clear whatever happens :cool:

If all else fails ..It will just be a consultant job ..meaning ...I'll tell him what he could do and where to go, to get what he wants/needs.

Time will tell ...

Thanks all,

.C.
April 17th, 2006, 03:49 PM
8lgm

Acquiring evidence files using disk cloning techniqiues

HI

i was reading your post on disk cloning... I would just like to point a few things out as this is what i have to do day in day out..

1 where possible removed the suspect disk and use such a device as a write blocker (fastbloc, or tableau device) this blocks the writes to the hard disk when it is fired up.. then use some software such as encase of FTK to create image files this will allow you to demonstrate that you have indeed maintained data continuity . when these image files are created they create and md5 hash which can be used to verify that the data has not been altered.
April 17th, 2006, 03:59 PM
Egaladeist

hi 8lgm,

Welcome to AO! :D

Even though you have something relevant to bring to the thread it is still almost 2 months old...maybe you could write a tutorial if that's something you know a lot about?

Eg ;)