Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Forensic disk duplication modifies the evidence hard disk

from [Nick Willey] Network Security [Permanent Link]
Subject: RE: Forensic disk duplication modifies the evidence hard disk
Date: Fri, 27 May 2005 13:26:07 -0400 

This is a very interesting paper.  I understand that the paper is written
from the perspective of an investigator trying to track an attacker without
the attacker knowing, but how does this present a problem for forensics
analysis?  How would this affect the admissibility of the evidence in court?
Can't the changing SMART values be explained to a court as necessary for the
device to power on?  Also, since the values are read-only, is the integrity
of the evidence tainted by powering on the device and creating an image?

I'm not trying to be critical, I'm just trying to understand more about how
this will affect the forensics community.  I really enjoyed reading this
paper. 

Nick   

-----Original Message-----
From: Steven McLeod [mailto:steven.mcleod@ozemail.com.au] 
Sent: Friday, May 27, 2005 7:22 AM
To: forensics@securityfocus.com
Subject: Forensic disk duplication modifies the evidence hard disk


SMART Anti-Forensics

This paper highlights an oversight in the current industry best practice
procedure for forensically duplicating a hard disk.  A discussion is
provided which demonstrates that although the forensic duplication process
may not directly modify data on the evidence hard disk, a hard disk will
usually modify itself during the forensic duplication process.

The paper highlights some consequences, for example that an attacker who has
compromised the computer containing the hard disk can programmatically
detect that the hard disk has been forensically duplicated, or otherwise
powered on and accessed via a mechanism other than via the operating system
installed on the hard disk.

Suggestions are provided to help minimise the changes made to the hard disk
during the forensic duplication process.  These suggestions minimise the
likelihood that an attacker will notice the system administrator or forensic
analyst performing an investigation of the suspected compromised computer.

http://members.ozemail.com.au/~steven.mcleod/SMART_Anti_Forensics.pdf



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking
system please see: http://aris.securityfocus.com




-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Forensic disk duplication modifies the evidence hard disk, Brian Carrier
Next by Date:  Re: Forensic disk duplication modifies the evidence hard disk, Dr. Marc Rogers
Previous by Thread:  Re: Forensic disk duplication modifies the evidence hard disk, Brian Carrier
Next by Thread:  Re: Forensic disk duplication modifies the evidence hard disk, Thierry Zoller
Indexes:  [Date] [Thread] [Top] [All Lists]