Disk cloning for evidence
Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Disk cloning for evidence

  1. #1
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491

    Disk cloning for evidence

    Hello all,

    I need to take a copy or better yet a "cloning" of a HDD to search for evidence and other things.

    Offcourse this needs to be done without touching the timestamps on the original HDD, I'll put the clone back in the machine and take the original along.

    Afterwards I'll put it in another machine and copy it again to work of that copy and leave the original alone...

    Then I'll hang that copy as a slave and investigate it.

    The Computer has Win98 as OS.

    Now ...my questions:

    1- Does anyone know any good Disk cloning tools or would Symantec Ghost be ok ?

    2- What tools do I use for searching the disk for evidence ...It's not hacked ...it's just to see the surfing and chatting habbits of someone. (it's not illegal the pc is not this persons property but from the person that gave me this "job" and is owner of this PC) and confront him/her with it.

    3- Does the way I plan to do this look ok to you forensic experts or would you choose another path/way to do things.

    Many thanks for any help,

    If I need to give more info let me know.
    Back when I was a boy, we carved our own IC's out of wood.

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    This might help.

    It's notes I made while reading a forensics book and it lists tools etc. that you should find helpful... Hopefully all the links are still good.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    Thanks Tiger Shark

    I'm printing it , I'll read it tonight ...might/will get me some ideas on what to do

    .C.
    Back when I was a boy, we carved our own IC's out of wood.

  4. #4
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,191
    Hi Cemetric ,

    Not sure of the relevance to your particular situation, but you might like to consider the legal implications?

    Rules for acceptable evidence, witnesses to the process, secure storage of the original media............that sort of thing?

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  5. #5
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    Hey nihil,

    Yeah I know ...but it's not going to come that far ...well I will take my precautions ... Just to be sure "I'm" ok ...But this is just a "small" dispute between an employer and an employee ... The user is not complying to "regulations" ..As far as there are any

    Thanks though ..for the heads-up

    .C.
    Back when I was a boy, we carved our own IC's out of wood.

  6. #6
    Member
    Join Date
    Sep 2005
    Posts
    77
    To add to what nihil said:
    Not sure of the relevance to your particular situation, but you might like to consider the legal implications?

    Rules for acceptable evidence, witnesses to the process, secure storage of the original media............that sort of thing?
    If this drive that you are imaging is going to be used as real evidence in a court of law, you have to pay SPECIAL attention to handling procedures, chain of custody, and document EVERY little action you take (just like any other sort of evidence). If you neglect to follow even one procedure, it may render any evidence you find worthless and not admisable in the court.

    Otherwise, if this is just for learning/practice, I would highly suggest reading a few books (which often include some demo software tools). One of my favorites is 'Computer Forensics: Computer Crime Scene Investigation by John R Vacca.

    --->Link to book<---

    If you have a few bucks to spare, you may also want to look into Drive Duplicators/imagers.
    We use a brand by ICS (Intelligent Computer Systems) called the Imagemaster. Its offers a number of drive copying options. From Sysadmin uses to forensics. Handy tool I tell ya.

    ICS Site + Forensics Info
    %42%75%75%75%75%72%70%21%00

  7. #7
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Perfect opportunity to justify one of these . Something an administrator should not be without if budget affords it. The local law enforcement computer crimes unit I helped set up uses this . Its not just a security tool, it will save your tucas some day.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  8. #8
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    Originally posted here by RoadClosed
    Perfect opportunity to justify one of these . Something an administrator should not be without if budget affords it. The local law enforcement computer crimes unit I helped set up uses this . Its not just a security tool, it will save your tucas some day.
    Hmmmm looks very interesting ...but also expensive

    I'll have to go and look for a tool though ...maybe if I ask real nice

    .C.
    Back when I was a boy, we carved our own IC's out of wood.

  9. #9
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Maybe you should try some of the free Live-CD images listed here. Somewhere I have an old "DoD Live-CD" image that was given to me. It had the DoD version of DD, and a VERY minimal framework for a linux bootable CD. Basically, it had enough tools to allow one to boot to this disc, mount a USB or IEEE1394 external hard disk, and dump the entire local hard disk image to the external. Then you don't even have to swap out the drives or anything. That image is pretty old, but the theory is sound. ANY of the live-CDs in the other thread should allow you to do this.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  10. #10
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    Thanks man ...

    I'll definetly check those out ...might be handy ...no fiddling with disks and all ...no danger of destroying the original ...mmmh

    Thanks


    .C.
    Back when I was a boy, we carved our own IC's out of wood.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •