This paper highlights an oversight in the current industry best practice
procedure for forensically duplicating a hard disk. A discussion is provided
which demonstrates that although the forensic duplication process may not
directly modify data on the evidence hard disk, a hard disk will usually
modify itself during the forensic duplication process.
The paper highlights some consequences, for example that an attacker who has
compromised the computer containing the hard disk can programmatically detect
that the hard disk has been forensically duplicated, or otherwise powered on
and accessed via a mechanism other than via the operating system installed on
the hard disk.
Suggestions are provided to help minimise the changes made to the hard disk
during the forensic duplication process. These suggestions minimise the
likelihood that an attacker will notice the system administrator or forensic
analyst performing an investigation of the suspected compromised computer.
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
SMART Anti-Forensics
This paper highlights an oversight in the current industry best practice
procedure for forensically duplicating a hard disk. A discussion is provided
which demonstrates that although the forensic duplication process may not
directly modify data on the evidence hard disk, a hard disk will usually
modify itself during the forensic duplication process.
The paper highlights some consequences, for example that an attacker who has
compromised the computer containing the hard disk can programmatically detect
that the hard disk has been forensically duplicated, or otherwise powered on
and accessed via a mechanism other than via the operating system installed on
the hard disk.
Suggestions are provided to help minimise the changes made to the hard disk
during the forensic duplication process. These suggestions minimise the
likelihood that an attacker will notice the system administrator or forensic
analyst performing an investigation of the suspected compromised computer.
http://members.ozemail.com.au/~steven.mcleod/SMART_Anti_Forensics.pdf
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[ reply ]