Home page logo

basics logo Security Basics mailing list archives

RE: Copying HDDs for forensic purposes?
From: "Suramya" <security () suramya com>
Date: Tue, 18 Nov 2003 14:09:59 -0500

 All forensic software make an exact byte by byte copy of the drive
starting with track 0 sec 0 all the way to the end. This way the new
disk has everything the original drive had. Doing a byte by byte copy
allows the system to copy the sectors which have recently deleted files
in them as opposed to marking them as blank. 

 If the drive is physically damaged then it becomes harder to recover
data but not impossible. In my experience Norton Ghost has a hard time
imaging a damaged hard-drive. 

 Hope this helps.

- Suramya
-----Original Message-----
From: Spencer D'oro [mailto:sdoro () comcast net] 
Sent: Saturday, November 15, 2003 12:09 PM
To: security-basics () securityfocus com
Subject: Copying HDDs for forensic purposes?

Hello to all,

I am interested in forensic examinations of hard drives.  In the little
material I have seen, the authors state that no examination should be
made of an original device; that instead a copy should be made and all
examinations made to that device.  My question is this:  If you make a
copy of the hard drive, does it copy the sectors that had recently
deleted files or does it just mark them as blank in the partition table
of the new drive? What if the source is physically damaged?  Or do you
need a special utility to get the "erased" data?  Thanks in advance for
the help.


The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]