Page 2 of 2 FirstFirst 12
Results 11 to 18 of 18

Thread: Disk cloning for evidence

  1. #11
    Greeting's

    i've never tried any of the following so I cannot recommend them but you can have a look :

    1.FCCU GNU/Linux boot CD 10.0 from the Belgian "Federal Computer Crime Unit"
    http://www.lnx4n6.be/index.php?sec=D...ds&page=bootcd


    2. Fire from SourceForge
    http://fire.dmzs.com/



    3.fork from vital data
    http://www.vitaldata.com.au/modules/...index.php?id=9


    4. http://www.x-ways.net/davory/index-m.html

    5. http://www.sleuthkit.org/autopsy/

    A GOOD LIST OF TOOLS CAN BE FOUND HERE :
    http://www.forensics.nl/toolkits
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  2. #12
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    Man ...good links ... especially the belgian crime unit thing one

    I'll check them all out ... thanks,

    .C.
    Back when I was a boy, we carved our own IC's out of wood.

  3. #13
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    I was in a similar situation, where I had to produce evidence re: "child porn". Before I even touched the drive, I called my local law enforcement and consulted with a couple of lawyers. I was informed if I wanted to build a case, and make it stick, the courts would likely only consider it if I used a product called ENCASE . As these types on investigations are few and far between for me I couldn't justify the cost. So I contracted a company that used the product for forensics and went that route. If you feel this issue may end up in front of the courts, you may want to consider this option.

    good luck....

    Cheers:
    DjM

  4. #14
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    DJM is absolutely right....

    Even if this is an "internal" investigation if it ends up in any form of disciplinary action then the "offender" might take your company to court... At which point your "internal" investigation is elevated to the level of a full blown forensic investigation... Which neither you or I want to be in the witness chair for...

    You need to consult with your administration and determine the best course of action... But be up front with them about _your_ limitations... They need that information because they are going to pay the bill if it ends up in court.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #15
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Tiger~ is right................trade unions, industrial tribunals..............whatever............it is a bloody minefield.

    You need legal advice, and from a proper lawyer, not some jerk of a manager who knows nothing of the potential complexities.

    The first thing is the AUP...............if that doesn't hold water they are stuffed. You did imply that there were few "formal" policies?

    If what has been done is in any way construable as illegal in your part of the world, DO NOT GO NEAR IT unless the competent authorities have been involved, and then you work on THEIR instructions, not those of your managers. It is your career on the line my friend

  6. #16
    Senior Member Cemetric's Avatar
    Join Date
    Oct 2002
    Posts
    491
    Thanks for all the support ...

    The legal matter has been covered since yesterday evening ...I have a relative that is a lawyer... He went out of his way to see what my rights and duties were... So I have that covered now ...

    Probably I'll just take the image and have the guy sign me a paper that waves all rights of having me held responsible for any damages, negligence or any other form of wrongdoing or involvement ...the lawyer will draw me up a paper...Then I'll have a look at the image/copy or whatever under the same conditions ...that this is all just non-binding and non-accountable and will not hold up in court if it ever would come to that ...and so on ...

    According to my lawyer relative I'm going to be in the clear whatever happens

    If all else fails ..It will just be a consultant job ..meaning ...I'll tell him what he could do and where to go, to get what he wants/needs.

    Time will tell ...

    Thanks all,

    .C.
    Back when I was a boy, we carved our own IC's out of wood.

  7. #17
    Junior Member
    Join Date
    Apr 2006
    Posts
    11

    Acquiring evidence files using disk cloning techniqiues

    HI

    i was reading your post on disk cloning... I would just like to point a few things out as this is what i have to do day in day out..


    1 where possible removed the suspect disk and use such a device as a write blocker (fastbloc, or tableau device) this blocks the writes to the hard disk when it is fired up.. then use some software such as encase of FTK to create image files this will allow you to demonstrate that you have indeed maintained data continuity . when these image files are created they create and md5 hash which can be used to verify that the data has not been altered.

  8. #18
    Senior Member
    Join Date
    Dec 2004
    Posts
    3,171
    hi 8lgm,

    Welcome to AO!

    Even though you have something relevant to bring to the thread it is still almost 2 months old...maybe you could write a tutorial if that's something you know a lot about?

    Eg

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •