Sounds like a simple question for this list where the answer is
"always"- but please read on.
We run hashes on drives to verify that nothing was changed during the
acquisition process. Which hash, MD-5, SHA-1, SHA-256 is not part of
this debate so please refrain from rehashing that topic. But what if we
have a device which is built NOT to allow writing to the drive?
Hardware write protectors are one example. Another could be an
operating system such as Knoppix that was built/configured from the
ground up to mount the drives only in read-only mode. If such a tool
was used by an independent operator which had no motivation to alter the
data, how critical are hashes?
Why would someone want to do this? How about if we had 500 hard drives
to go through and the client just wanted to get FAT info parsed to get
an idea of the files on the drives. Bypassing an MD5 could save 2+
hours for each drive and allow just the 10 sec it takes to copy the FAT.
Obviously it's an imperfect approach but for a real world situation
where the client has limited funds, can it work?
I guess there is still the issue of ensuring that a bit wasn't
accidentally flipped by hardware during the copy. What else? Not to
trivialize the corrupt copy problem but a flipped bit isn't going to
cause an e-mail to appear where it wasn't before (unless it was in the
FAT). Thoughts on that?
What I am looking for in the way of responses is a detailed, logical
analysis on what the true issues are. I'm not looking for "this is a
bad thing, don't do it" or "if you gonna spend the money, spend the
money to do it right." I would appreciate an analysis of what one
would say to a lawyer or jury about this. I know this isn't the BEST
way to do things but what are the true flaws in this logic? What would
you say if brought in by the opposing side to refute the validity of
this approach?
Thanks in advance.
Dave K.
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
"always"- but please read on.
We run hashes on drives to verify that nothing was changed during the
acquisition process. Which hash, MD-5, SHA-1, SHA-256 is not part of
this debate so please refrain from rehashing that topic. But what if we
have a device which is built NOT to allow writing to the drive?
Hardware write protectors are one example. Another could be an
operating system such as Knoppix that was built/configured from the
ground up to mount the drives only in read-only mode. If such a tool
was used by an independent operator which had no motivation to alter the
data, how critical are hashes?
Why would someone want to do this? How about if we had 500 hard drives
to go through and the client just wanted to get FAT info parsed to get
an idea of the files on the drives. Bypassing an MD5 could save 2+
hours for each drive and allow just the 10 sec it takes to copy the FAT.
Obviously it's an imperfect approach but for a real world situation
where the client has limited funds, can it work?
I guess there is still the issue of ensuring that a bit wasn't
accidentally flipped by hardware during the copy. What else? Not to
trivialize the corrupt copy problem but a flipped bit isn't going to
cause an e-mail to appear where it wasn't before (unless it was in the
FAT). Thoughts on that?
What I am looking for in the way of responses is a detailed, logical
analysis on what the true issues are. I'm not looking for "this is a
bad thing, don't do it" or "if you gonna spend the money, spend the
money to do it right." I would appreciate an analysis of what one
would say to a lawyer or jury about this. I know this isn't the BEST
way to do things but what are the true flaws in this logic? What would
you say if brought in by the opposing side to refute the validity of
this approach?
Thanks in advance.
Dave K.
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[ reply ]