Full Disclosure mailing list archives
Re: Reacting to a server compromise
From: David Hayes <david.hayes () mci com>
Date: Tue, 5 Aug 2003 14:15:12 -0500
Our old standby, "dd", is perfectly acceptable for making an image of a hard drive to be used in court. It's even the #1 choice of the FBI, and accepted by U.S. federal courts. From the trial court order on admission of evidence in the case of Zacarias Moussaoui (the accused 20th hijacker of 9/11): Authentication The foundation of standby counsel's discovery requests regarding the computer and e-mail evidence rests upon their complaints regarding the "authentication" of the hard drives provided in discovery. "Authentication" in this context means the process of ensuring that the duplicate of the hard drive provided in discovery is an exact copy of what the FBI originally acquired. As FBI Supervisory Special Agent Dara Sewell explains in her attached affidavit, the FBI uses three different methods to duplicate or image a hard drive: (1) GNU/Linux routine dd command via Red Hat Linux 7.1 (hereafter "Linux dd"); (2) Safeback version 2.18 imaging software by New Technologies (hereafter "Safeback"); (3) Solitaire Forensics Kit, SFK-000A hand-held disk duplicator by Logicube, Inc. http://notablecases.vaed.uscourts.gov/1:01-cr-00455/docs/68092/0.pdf -- David Hayes Network Security Operations Center MCI Network Svcs email: david.hayes () MCI com vnet: 777-7236 voice: 972-729-7236 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: [inbox] Re: Reacting to a server compromise, (continued)
- Re: [inbox] Re: Reacting to a server compromise Valdis . Kletnieks (Aug 05)
- Re: [inbox] Re: Reacting to a server compromise morning_wood (Aug 03)
- Re: [inbox] Re: Reacting to a server compromise Peter Busser (Aug 04)
- Re: Reacting to a server compromise devnull (Aug 02)
- Re: Reacting to a server compromise SecuresDotComs (Aug 02)
- Re: Reacting to a server compromise madsaxon (Aug 02)
- RE: [inbox] Re: Reacting to a server compromise Curt Purdy (Aug 03)
- Re: [inbox] Re: Reacting to a server compromise Gaurav Kumar (Aug 03)
- Re: Reacting to a server compromise Alexandre Dulaunoy (Aug 03)
- RE: [inbox] Re: Reacting to a server compromise Curt Purdy (Aug 04)
- Re: Reacting to a server compromise David Hayes (Aug 05)
- Re: Reacting to a server compromise Ron DuFresne (Aug 05)
- Re: Hard drive images Craig Pratt (Aug 05)
- RE: [inbox] Re: Hard drive images Curt Purdy (Aug 05)
- Re: Hard drive images ldreamer (Aug 05)
- Re: Hard drive images madsaxon (Aug 05)
- Re: Reacting to a server compromise SecuresDotComs (Aug 02)
- Re: Re: Reacting to a server compromise morning_wood (Aug 03)
- Re: Re: Reacting to a server compromise manohar singh (Aug 03)
- Re: Reacting to a server compromise James A. Cox (Aug 03)