jhup wrote:
This goes back to a pet peeve of mine.
We do not need exact "bit-by-bit" copies for forensics. Think about it. Is finger print analysis uses 100% of a (already partial copy of) fingerprint? Does DNA analysis uses 100% of the DNA?
Here is something that should blow your mind, if you are stuck on "bit-by-bit". In most other forensics fields the evidence, at least partially is destroyed... <img src="images/smiles/icon_eek.gif" alt="Shocked" title="Shocked" />
Remember, beyondreasonable doubt.Yep <img src="images/smiles/icon_smile.gif" alt="Smile" title="Smile" /> , I would spend a few words on the exact nature of the effects of data corruption (if any) in the imaging process.
One of the most common "issues" (among others) raised by the good guys "obsessed" by the bit-by-bit copy approach (and the use of write blockers, etc.) is that the sheer moment you connect a disk to a Windows NT system (before WinFE approach), it's signature may be altered.
This happens in two cases:
1) the disk was never connected to a Windows NT (and thus has a 00000000 disk signature)
2) there is a collision with the disk signature of another disk connected at the same time (probabilistically very rare)
See also here:
http://mistype.reboot.pro/documents/WinFE/winfe.htm#signatures
and more specifically here:
http://reboot.pro/topic/18953-is-winfe-forensically-sound/
http://reboot.pro/topic/18953-is-winfe-forensically-sound/?p=177532
Quote::
Think of a car accident, you take photos, you mark on the road where the vehicles are, you take measures and sketches, then you move the vehicles to allow the reopening of the road.
The day after you may decide to re-close the road for a few hours, put back the vehicles exactly where you found them to better understand the dynamics of the crash.
As long as the procedure is adequately documented, it is perfectly "forensically sound".
What I think are "common" false equations are"forensically sound"="untouched""forensically sound"="identical""forensically sound"="unmodified"
I see "forensic sound" also something that has been "touched", "modified" or "moved", as long as this has been done along a procedure and of course a "proper" and repeatable procedure.
So, we attach a disk to a running Windows NT OS (with no automount).
In some cases it may change the disk signature. (as seen above there are several ways to avoid this or to make a "snapshot" of it before).
How this will affect the presence on the disk of a compromising exchange of e-mails, or of a folder containing tens or hundreds of CP images?
Will a disk signature change be able to create by sheer magic the above incriminating evidence?
More "widely" would a disk signature produce any change of any kind to other data (except the speciifc 4 bytes)?
Like altering timestamps, delete or make unrecoverable any data?
Taking it a step further, more serious (wrong) manipulations or changes to the filesystem will ever produce those artifacts?
Of course not, in the very worse case, a change to the filesystem will delete (or make inaccessible) some data.
If you think a bit about it, when you carve unallocated space and recover partially overwritten data, what you get is not "really sound" data, but rather fragments (or bits and pieces).
The "sound", "original" data, let's say as an example a Word document has already been altered (by beingn first deleted from the OS and then partially overwritten by another file), yet the parts that you manage to recover and re-assemble can be part of the accusatory or exculpatory evidence.
What if the same Word document becomes corrupt because of a malfunction (or instability, or whatever) of the system while you imaged it?
Are not the bits and pieces you recover from it "as good as" the bits ad pieces you recover form the .doc carved in free space?
jaclaz
↧
