|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Paul Sanderson (paul
sandersonforensics.co.uk)Date: Thu Mar 21 2002 - 11:05:58 CST
Excuse me rambling but
This is an interesting one. Whilst it should be reasonably straight forward
to write a firmware imager for IDE disk I think that SCSI disks will be
another kettle of fish. SCSI drives are normally accessed through the ASPI
interface under DOS and ASPI/SPTI under Windows. ASPI is a DOS/Windows
library and SPTI is a Windows library these would either need to be replaced
or bypassed for your idea to work.
I haven't played with Direct access to SCSI for many years but if memory
serves me each card is basically different so you either need to specify a
particular controller card in the PC or write for all of them...
I have a logicube and have used a solo and although both seem to fit your
requirements both are running programs - albeit from firmware. Each of the
machines has a sequence of buttons that you can use to interrogate the
source and destination. erase the destination, decide what you can do on an
error situation... There are also different versions of the firmware
floating around. So depending on what you do before you actually press the
'clone now' button, as it is on the logicube, what state is the machine in?
My preferred solution is to read the drive using two separate utilities. if
I were to be paranoid I would use Encase to image via a FastBloc and one of
my own utils to read the drive and calculate an MD5 hash (preferably doing
one using X/BIOS calls and one using direct access). If the Hashes are the
same then I believe that I can convince a jury that everything is working
fine.
Your point about the jury being non-techy is a fair one but what makes you
think they will understand your solution. Most people/jurors are at least
familiar with PC's you get to explain to them that this is a PC with a
difference..
Not knocking your idea - just food for thought
Paul
===================================
Paul Sanderson
T. #44 1869 325667
F. #44 1869 369001
M. #44 7808 773856
http://www.sandersonforensics.co.uk
===================================
-----Original Message-----
From: Mike Shaw [mailto:mshawwwisp.com]
Sent: 21 March 2002 16:10
To: mailcomputer-security-awareness.co.uk; rsgilmoreblclinks.net;
forensicssecurityfocus.com
Subject: Re: Encase and data recovery
>
>I'm afaid not. "Copy-II-PC" ran as a DOS application. I'm suggesting
>a totally OS-free system using a few kB of dedicated machine code.
I think the CopyIIPC system comment was somewhat toungue-in-cheek, but
there was actually a CopyIIPC floppy controller you could get that would
turn your PC into a byte by byte disk copying machine. This is pretty much
what you're talking about right?
-Mike
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]