On 03/Aug/03 12:33 +1000, devnull_at_iprimus.com.au wrote:
> On Sun, 3 Aug 2003 01:38 am, Jennifer Bradley wrote:
>
> > If this happens again, I would probably make a copy of the hard drive,
> > or at the very least the log files since they can be entered as
> > evidence of a hacked box.
>
> Under most jurisdictions, an ordinary disk image produced by Norton Ghost etc
> using standard hardware is completely inadmissible in court, as it is
> impossible to make one without possibly compromising the integrity of the
> evidence. The police etc use specialised hardware for making such copies,
> which ensures that the disk can't have been altered.
Getting evidence by reading (via any software or hardware solution)
may compromise the integrity of the evidence. I would like to know the
difference between for example a (s)dd and the specialised hardware
that you talk about ? Do you have any references ?
Preserving the scene integrity is really difficult. You have to
minimize the intrusion to the scene. On computer hardware is really
difficult... Using a hardware device that doesn't change too much the
scene is difficult... (think of a compromised disk firmware).
And the worst, sometimes we see something that doesn't exist at
all. Forensic analysis is the land of illusion...
just my .02 EUR.
adulau
--
-- Alexandre Dulaunoy (adulau) -- http://www.foo.be/
-- http://pgp.ael.be:11371/pks/lookup?op=get&search=0x44E6CBCD
-- "Knowledge can create problems, it is not through ignorance
-- that we can solve them" Isaac Asimov
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- application/pgp-signature attachment: stored
Received on Aug 03 2003
Intro
