Home page logo
/

basics logo Security Basics mailing list archives

RE: Copying HDDs for forensic purposes?
From: jay.stapleton () mnr gov on ca
Date: Mon, 17 Nov 2003 13:33:11 -0500

Best practice I've used is to boot off a knoppix CD with a second hard drive
in the machine, mounted as /mnt.  Then from a command prompt `dd
if=/dev/hda1 of=/mnt/drive.img` Do this for each partition you want to image

After you have the copy, you can remove the original drive, and mount the
img file by using loopback, `mount /mnt/drive.img /mnt2 -o loop ro` I
believe is the syntax for a read-only loopback. 
Substitute paths as needed.

-Jay S.

-----Original Message-----
From: Spencer D'oro [mailto:sdoro () comcast net]
Sent: Saturday, November 15, 2003 1:09 PM
To: security-basics () securityfocus com
Subject: Copying HDDs for forensic purposes?


Hello to all,

I am interested in forensic examinations of hard drives.  In the little
material I have seen, the authors state that no examination should be made
of an original device; that instead a copy should be made and all
examinations made to that device.  My question is this:  If you make a copy
of the hard drive, does it copy the sectors that had recently deleted files
or does it just mark them as blank in the partition table of the new drive?
What if the source is physically damaged?  Or do you need a special utility
to get the "erased" data?  Thanks in advance for the help.

Spencer


---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to

simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]