Home page logo

basics logo Security Basics mailing list archives

RE: tools used to examine a computer
From: "Trevor Cushen" <Trevor.Cushen () sysnet ie>
Date: Wed, 19 Feb 2003 17:35:20 -0000

DD is not copying.  Copying can change file properties as in MAC details
on the new system  or the destination.  The MAC being changed is the
problem.  The original email I was answering didn't discuss documenting
either or getting the MD5 signature.  DD will give a bit by bit copy
which will give the same MD5 signatures and is handy if the machine
cannot be rebooted.  The disk should be cloned before anything is done
on the machine as in copying files or anything.  The document I refered
to gave a way of doing that and is accepted by law enforcement once you
have the MD5 signature.

Trevor Cushen
Sysnet Ltd

Tel: +353 1 2983000
Fax: +353 1 2960499

-----Original Message-----
From: H C [mailto:keydet89 () yahoo com] 
Sent: 18 February 2003 18:02
To: Trevor Cushen
Cc: security-basics () securityfocus com
Subject: RE: tools used to examine a computer

Also on the point of copying files over the network
first, correct me if
I'm wrong but that damages the chain of evidence.

Now so?  If one collects the necessary info (ie, MAC
times, NTFS ADSs, permissions, full path, etc), hashes
the file (MD5 and/or SHA-1), and then copies the file
over the network using something like 'dd' or type,
and netcat/cryptcat, how is the chain of evidence
broken?  Especially if it's documented?

Have a look at the
link below, goes about it a bit long winded but
essentially shows how to
clone a hard drive over a network connection.  This
can be done with
Windows machines as DD and Netcat can be run from
floppy on a Windows machine.

I'm not sure what you're getting at...first you make a reference to
breaking the chain of evidence by copying a file, but then you talk
about cloning an os over the network using dd and netcat.  Wouldn't
doing so also break your chain of evidence, if your reasoning is to


Do you Yahoo!?
Yahoo! Shopping - Send Flowers for Valentine's Day


This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 

If you have received this message in error please notify SYSNET Ltd., at
telephone no: +353-1-2983000 or postmaster () sysnet ie


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]