|
|
Forensics
Forensic disk duplication modifies the evidence hard disk May 27 2005 11:21AM Steven McLeod (steven mcleod ozemail com au) (3 replies) RE: Forensic disk duplication modifies the evidence hard disk May 27 2005 05:26PM Nick Willey (nickwilley ashgate com) (1 replies) Re: Forensic disk duplication modifies the evidence hard disk May 27 2005 06:18PM Thierry Zoller (Thierry sniff-em com) Re: Forensic disk duplication modifies the evidence hard disk May 27 2005 03:43PM Brian Carrier (carrier cerias purdue edu) |
|
Privacy Statement |
> SMART Anti-Forensics
>
> This paper highlights an oversight in the current industry best practice
> procedure for forensically duplicating a hard disk. A discussion is
> provided which demonstrates that although the forensic duplication process
> may not directly modify data on the evidence hard disk, a hard disk will
> usually modify itself during the forensic duplication process.
>
> The paper highlights some consequences, for example that an attacker who
> has compromised the computer containing the hard disk can programmatically
> detect that the hard disk has been forensically duplicated, or otherwise
> powered on and accessed via a mechanism other than via the operating system
> installed on the hard disk.
>
> Suggestions are provided to help minimise the changes made to the hard disk
> during the forensic duplication process. These suggestions minimise the
> likelihood that an attacker will notice the system administrator or
> forensic analyst performing an investigation of the suspected compromised
> computer.
>
> http://members.ozemail.com.au/~steven.mcleod/SMART_Anti_Forensics.pdf
>
>
Interesting...
Heisenberg's Uncertainty Principle applied to hard disks.
("You cannot measure/observe something without changing that which you are
measuring/observing.")
Given that, the act of observing the disk changes the disk. The act of
observing the change changes the change. The act of observing _that_ changes
changes _that_ change. (ad infinitum...) Therefore, there is no method by
which you can observe a disk without leaving some trace.
Then, if the change(s) is/are mitigated sufficiently, is the final result
change measurable?
Yes, it's very interesting, but I'm starting to get a headache...
--
Clinton E. Troutman
CeTro
Independent Computer Consultant for Home,
Home Office, and Small Business in Fort Worth, Texas
http://cetro.dnsalias.org/
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[ reply ]