-
February 23rd, 2006, 01:15 PM
#1
Disk cloning for evidence
Hello all,
I need to take a copy or better yet a "cloning" of a HDD to search for evidence and other things.
Offcourse this needs to be done without touching the timestamps on the original HDD, I'll put the clone back in the machine and take the original along.
Afterwards I'll put it in another machine and copy it again to work of that copy and leave the original alone...
Then I'll hang that copy as a slave and investigate it.
The Computer has Win98 as OS.
Now ...my questions:
1- Does anyone know any good Disk cloning tools or would Symantec Ghost be ok ?
2- What tools do I use for searching the disk for evidence ...It's not hacked ...it's just to see the surfing and chatting habbits of someone. (it's not illegal the pc is not this persons property but from the person that gave me this "job" and is owner of this PC) and confront him/her with it.
3- Does the way I plan to do this look ok to you forensic experts or would you choose another path/way to do things.
Many thanks for any help,
If I need to give more info let me know.
Back when I was a boy, we carved our own IC's out of wood.
-
February 23rd, 2006, 01:22 PM
#2
This might help.
It's notes I made while reading a forensics book and it lists tools etc. that you should find helpful... Hopefully all the links are still good.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
February 23rd, 2006, 02:20 PM
#3
Thanks Tiger Shark
I'm printing it , I'll read it tonight ...might/will get me some ideas on what to do
.C.
Back when I was a boy, we carved our own IC's out of wood.
-
February 23rd, 2006, 02:38 PM
#4
Hi Cemetric ,
Not sure of the relevance to your particular situation, but you might like to consider the legal implications?
Rules for acceptable evidence, witnesses to the process, secure storage of the original media............that sort of thing?
-
February 23rd, 2006, 02:56 PM
#5
Hey nihil,
Yeah I know ...but it's not going to come that far ...well I will take my precautions ... Just to be sure "I'm" ok ...But this is just a "small" dispute between an employer and an employee ... The user is not complying to "regulations" ..As far as there are any
Thanks though ..for the heads-up
.C.
Back when I was a boy, we carved our own IC's out of wood.
-
February 23rd, 2006, 03:08 PM
#6
To add to what nihil said:
Not sure of the relevance to your particular situation, but you might like to consider the legal implications?
Rules for acceptable evidence, witnesses to the process, secure storage of the original media............that sort of thing?
If this drive that you are imaging is going to be used as real evidence in a court of law, you have to pay SPECIAL attention to handling procedures, chain of custody, and document EVERY little action you take (just like any other sort of evidence). If you neglect to follow even one procedure, it may render any evidence you find worthless and not admisable in the court.
Otherwise, if this is just for learning/practice, I would highly suggest reading a few books (which often include some demo software tools). One of my favorites is 'Computer Forensics: Computer Crime Scene Investigation by John R Vacca.
--->Link to book<---
If you have a few bucks to spare, you may also want to look into Drive Duplicators/imagers.
We use a brand by ICS (Intelligent Computer Systems) called the Imagemaster. Its offers a number of drive copying options. From Sysadmin uses to forensics. Handy tool I tell ya.
ICS Site + Forensics Info
%42%75%75%75%75%72%70%21%00
-
February 23rd, 2006, 04:22 PM
#7
Perfect opportunity to justify one of these . Something an administrator should not be without if budget affords it. The local law enforcement computer crimes unit I helped set up uses this . Its not just a security tool, it will save your tucas some day.
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
-
February 23rd, 2006, 06:58 PM
#8
Back when I was a boy, we carved our own IC's out of wood.
-
February 23rd, 2006, 07:08 PM
#9
Maybe you should try some of the free Live-CD images listed here. Somewhere I have an old "DoD Live-CD" image that was given to me. It had the DoD version of DD, and a VERY minimal framework for a linux bootable CD. Basically, it had enough tools to allow one to boot to this disc, mount a USB or IEEE1394 external hard disk, and dump the entire local hard disk image to the external. Then you don't even have to swap out the drives or anything. That image is pretty old, but the theory is sound. ANY of the live-CDs in the other thread should allow you to do this.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
February 23rd, 2006, 07:21 PM
#10
Thanks man ...
I'll definetly check those out ...might be handy ...no fiddling with disks and all ...no danger of destroying the original ...mmmh
Thanks
.C.
Back when I was a boy, we carved our own IC's out of wood.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|