Hmm. . . I've been reading through this thread . . . maybe I've gotten lost
somewhere. I'll just babble a bit;

1) There are the unix for win32 tools availabe. However, I would not
recommend using this for data forensics analysis UNLESS you have tested and
verified that they do not change the evidence. My thinking here is you're
still relying on the ol' beast - the operating systems, a win32
environment. Plus, if you're looking to use these commands, then why not
use them in their natural environment.

2) The source code for these commands can be viewed. You can read what is
happening when you issue a command (whether, mount, script, strings,
strace, dd, md5sum, tee, stat, dumpe2fs, fdisk, sfdisk, sdd, etc.).

3) As already mentioned you can mount the volume with various flags set so
as to avoid altering the evidence (flags such as '-o ro,noexec,noatime').
Further, you can control your *nix system so that devices are not
recognized automatically, but only manually (automounter, fstab, etc.).

4) Matt is correct. If you look at the image created by EnCase it is not
a true and accurate image. May be twisting words here, but EnCase embeds
information within the EnCase image. Ever try to find the partition table
in an EnCase image? (Safeback also embeds data) Using 'dd' will create a
true and accurate image.

5) As for Matt's idea of taking an EnCase image and creating a flat image
from it . . . I believe the public will soon have access to such a tool.
Currently only beta testers do.

maybe this helps?

farmerdude

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]