Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Forensic disk duplication modifies the evidence hard disk

from [Clinton E. Troutman] Network Security [Permanent Link]
Subject: Re: Forensic disk duplication modifies the evidence hard disk
Date: Fri, 27 May 2005 21:46:23 -0500 
On Friday 27 May 2005 06:21, Steven McLeod wrote:

SMART Anti-Forensics

This paper highlights an oversight in the current industry best practice
procedure for forensically duplicating a hard disk.  A discussion is
provided which demonstrates that although the forensic duplication process
may not directly modify data on the evidence hard disk, a hard disk will
usually modify itself during the forensic duplication process.

The paper highlights some consequences, for example that an attacker who
has compromised the computer containing the hard disk can programmatically
detect that the hard disk has been forensically duplicated, or otherwise
powered on and accessed via a mechanism other than via the operating system
installed on the hard disk.

Suggestions are provided to help minimise the changes made to the hard disk
during the forensic duplication process.  These suggestions minimise the
likelihood that an attacker will notice the system administrator or
forensic analyst performing an investigation of the suspected compromised
computer.

http://members.ozemail.com.au/~steven.mcleod/SMART_Anti_Forensics.pdf




Interesting...

Heisenberg's Uncertainty Principle applied to hard disks.
("You cannot measure/observe something without changing that which you are 
measuring/observing.")

Given that, the act of observing the disk changes the disk. The act of 
observing the change changes the change. The act of observing _that_ changes 
changes _that_ change. (ad infinitum...) Therefore, there is no method by 
which you can observe a disk without leaving some trace.

Then, if the change(s) is/are mitigated sufficiently, is the final result 
change measurable?

Yes, it's very interesting, but I'm starting to get a headache...

-- 
Clinton E. Troutman
CeTro
Independent Computer Consultant for Home,
  Home Office, and Small Business in Fort Worth, Texas
http://cetro.dnsalias.org/

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Ghost Norton Fingerprint signature, Steve Hailey
Next by Date:  Re: Forensic disk duplication modifies the evidence hard disk, Thierry Zoller
Previous by Thread:  Re: Forensic disk duplication modifies the evidence hard disk, Thierry Zoller
Next by Thread:  Re: Forensic disk duplication modifies the evidence hard disk, Dr. Marc Rogers
Indexes:  [Date] [Thread] [Top] [All Lists]