Security Basics mailing list archives
RE: tools used to examine a computer
From: H C <keydet89 () yahoo com>
Date: Thu, 20 Feb 2003 06:27:35 -0800 (PST)
Trevor,
Copying can change file properties as in MAC details on the new system or the destination.
In the post that you responded to with the above comment, I specifically stated: "If one collects the necessary info (ie, MAC times..." This is important b/c one should take care to preserve the MAC times on the "victim" system, as a copy operation will alter the last access time of the file. In addition, you are correct w/ regards to 'the new system or the destination'...the file properties will be 'changed'. Perhaps more correctly, they will be *created*, as the file you are copying to the destination most likely did not previously exist.
The MAC being changed is the problem.
Not really. The issue you brought up was "chain of evidence" (though you have not really explained what you were referring to, nor have you described this "chain of evidence"...how does that differ from "chain of custody"?)...copying a file is going to change the MAC times on the "victim" system...we know that. Why don't we take a step back. I'll give you the opportunity to explain what you mean by "chain of evidence" and maybe that will clear up the issue a bit.
The original email I was answering didn't discuss documenting either or getting the MD5 signature.
DD will give a bit by bit copy which will give the same MD5 signatures and is handy if the machine cannot be rebooted.
The issue of MD5 signatures is also true for copying, as well, either using the copy command, or using the "type" command, and piping the output over a socket.
The disk should be cloned before anything is done on the machine as in copying files or anything.
If the disk is cloned, you won't have to copy files...you'll have cloned disk to work with. There is also two other issues to consider... 1. Not every incident requires a full-out forensics investigation with the accompanying bit image of the suspect or 'victim' drive. The issue of whether or not an image needs to be made really depends on the policies of the organization. Several things need to be kept in mind...for example, many production systems measure downtime in hundreds or thousands of dollars per minute. In such cases, a great deal of volatile information can be collected from the 'victim' system in a forensically sound manner, and that information can be analyzed and used to make a decision as to whether or not to accept the expense of shutting down and imaging a system. Keep in mind, there are other costs besides downtime and lost transactions...there's any fees that have to be paid to contractors/consultants, etc. 2. Evidence dynamics -> I'm going to take a page from Rob Lee and Eoghan Casey on this one... You're walking down the street, and as you pass a doorway, you step in something messy. You look down and see a puddle of blood, and a body in the doorway. You call the cops. The paramedics arrive, examine the body, attempt to revive the individual, and then cart them off to the hospital. Now, even if the 'victim' dies in the hospital, the cops are still able to investigate the crime, and ultimately the perp can be found and prosecuted. Now, map that to the digital world. Can it be done? Yes. Does every incident require an image to be made of the drive? Maybe not. Depends on the incident. But I would venture to say that no, not every incident requires that an image be made. In fact, in many cases, if the first technical step is to create an image, then a great deal of valuable data is lost the instant the system is shut down. Case in point...someone I once knew thought that a company system was being subject to misuse...he suspected that someone had installed SubSeven and was connecting to it to muck w/ the system. He shut the system down and waited for the consultant to come and make an image of the drive, and then analyze it. The consultant found some of the SubSeven files...but so what? They had no way of knowing if at the time the system was shut down, was SubSeven running? Was anyone connected to the server? All of that volatile information was lost as soon as the system was shut down. The key to examining a system isn't so much the tools as it is the methodology. __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/
Current thread:
- RE: tools used to examine a computer, (continued)
- RE: tools used to examine a computer H C (Feb 19)
- RE: tools used to examine a computer Trevor Cushen (Feb 18)
- RE: tools used to examine a computer Trevor Cushen (Feb 19)
- Checkpoint NG - SMTP Guard Features McKenzie Family (Feb 20)
- Re: Checkpoint NG - SMTP Guard Features Steve Suehring (Feb 20)
- Message not available
- Re: Checkpoint NG - SMTP Guard Features Mel (Feb 20)
- Checkpoint NG - SMTP Guard Features McKenzie Family (Feb 20)
- RE: tools used to examine a computer Trevor Cushen (Feb 20)
- RE: tools used to examine a computer H C (Feb 20)
- RE: tools used to examine a computer Robinson, Sonja (Feb 20)
- RE: tools used to examine a computer Trevor Cushen (Feb 20)
- RE: tools used to examine a computer H C (Feb 20)
- RE: tools used to examine a computer Trevor Cushen (Feb 20)
- RE: tools used to examine a computer H C (Feb 20)
- RE: tools used to examine a computer Trevor Cushen (Feb 22)
- RE: tools used to examine a computer Robinson, Sonja (Feb 22)
- RE: tools used to examine a computer Trevor Cushen (Feb 24)
- RE: tools used to examine a computer H C (Feb 25)
- RE: tools used to examine a computer Tim V - DZ (Feb 25)
- RE: tools used to examine a computer Trevor Cushen (Feb 25)
- ntpasswd compatibility w/RAID systems David Moisan (Feb 26)
- RE: tools used to examine a computer Trevor Cushen (Feb 25)