[Dshield] Forensics and hard drives

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Mon Apr 9 19:50:58 GMT 2007

On Mon, 09 Apr 2007 13:51:34 CDT, Kenneth Coney said:
> Okay, a little off topic I know, but maybe someone here has an idea.
> I am examining an XP hard drive the owner gave me to recover deleted 
> files and determine if they have been hacked.  I sector cloned it, 
> configured the clone as a slave drive,, and have done the file recovery, 

You're halfway there. :)

You want to sector-clone the original disk (preferably using some flavor of
write-blocker, just in case) to a master work copy.  Then clone the
master work copy as needed, and use the second-generation clones for any
actual work.  Doing it this way means that you always have a source other
than the original disk to clone - that way, you can fire up an image under
VMWare or whatever, and not feel bad knowing that you're blatting all over
the image.  You screw up, or just want to try something different, it's
no biggie - just re-clone the master work copy, go get a cup of coffee while
it reclones, and then go to it.

I've seen some people use the 'snapshot/revert' function in VMWare in a similar
fashion - you screw up, you just hit 'revert' and it's undone.  Of course,
you do this on a 2nd-gen copy.. ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/list/attachments/20070409/2be8d96b/attachment.bin 

More information about the list mailing list