Home page logo

basics logo Security Basics mailing list archives

RE: tools used to examine a computer
From: H C <keydet89 () yahoo com>
Date: Thu, 20 Feb 2003 06:27:35 -0800 (PST)


Copying can change file properties as in MAC details
on the new system  or the destination.  

In the post that you responded to with the above
comment, I specifically stated:

"If one collects the necessary info (ie, MAC times..."

This is important b/c one should take care to preserve
the MAC times on the "victim" system, as a copy
operation will alter the last access time of the file.

In addition, you are correct w/ regards to 'the new
system or the destination'...the file properties will
be 'changed'.  Perhaps more correctly, they will be
*created*, as the file you are copying to the
destination most likely did not previously exist. 

The MAC being changed is the problem.  

Not really.  The issue you brought up was "chain of
evidence" (though you have not really explained what
you were referring to, nor have you described this
"chain of evidence"...how does that differ from "chain
of custody"?)...copying a file is going to change the
MAC times on the "victim" system...we know that.  

Why don't we take a step back.  I'll give you the
opportunity to explain what you mean by "chain of
evidence" and maybe that will clear up the issue a

The original email I was answering didn't discuss 
documenting either or getting the MD5 signature.  

DD will give a bit by bit copy which will give the
same MD5 signatures and is handy if the machine
cannot be rebooted.  

The issue of MD5 signatures is also true for copying,
as well, either using the copy command, or using the
"type" command, and piping the output over a socket.

The disk should be cloned before anything is done on
the machine as in copying files or anything.  

If the disk is cloned, you won't have to copy
files...you'll have cloned disk to work with.  

There is also two other issues to consider...

1.  Not every incident requires a full-out forensics
investigation with the accompanying bit image of the
suspect or 'victim' drive.  The issue of whether or
not an image needs to be made really depends on the
policies of the organization.  Several things need to
be kept in mind...for example, many production systems
measure downtime in hundreds or thousands of dollars
per minute.  In such cases, a great deal of volatile
information can be collected from the 'victim' system
in a forensically sound manner, and that information
can be analyzed and used to make a decision as to
whether or not to accept the expense of shutting down
and imaging a system.  Keep in mind, there are other
costs besides downtime and lost transactions...there's
any fees that have to be paid to
contractors/consultants, etc.

2.  Evidence dynamics -> I'm going to take a page from
Rob Lee and Eoghan Casey on this one...

You're walking down the street, and as you pass a
doorway, you step in something messy. You look down
and see a puddle of blood, and a body in the doorway. 
You call the cops.  The paramedics arrive, examine the
body, attempt to revive the individual, and then cart
them off to the hospital.  Now, even if the 'victim'
dies in the hospital, the cops are still able to
investigate the crime, and ultimately the perp can be
found and prosecuted.

Now, map that to the digital world.  Can it be done? 
Yes.  Does every incident require an image to be made
of the drive?  Maybe not.  Depends on the incident. 
But I would venture to say that no, not every incident
requires that an image be made.  In fact, in many
cases, if the first technical step is to create an
image, then a great deal of valuable data is lost the
instant the system is shut down.

Case in point...someone I once knew thought that a
company system was being subject to misuse...he
suspected that someone had installed SubSeven and was
connecting to it to muck w/ the system.  He shut the
system down and waited for the consultant to come and
make an image of the drive, and then analyze it.  The
consultant found some of the SubSeven files...but so
what?  They had no way of knowing if at the time the
system was shut down, was SubSeven running?  Was
anyone connected to the server?  All of that volatile
information was lost as soon as the system was shut

The key to examining a system isn't so much the tools
as it is the methodology.   

Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]