[Dshield] Forensics and hard drives
superc at visuallink.com
Thu Apr 12 15:05:52 GMT 2007
Yes, the disk was cloned Found a nice free program to do that with.
Not being an ancient Unix person, I didn't know about Linux and dd then,
but did know a bit about forensic principles. Even went to school to
learn it back in the early days of Windows 3.0. Kind of a shock to
learn DOS won't work on NFTS. Forced me to get Helix (690+ Megs,
getting it took several days on dial up) and wade through gobs of Linux
'how to' not so well written manuals. Still reading and trying to make
sense. I am gathering I want to type a variation of '/mount hda' if I
want Helix to see the suspect drive, but so far playing with a spare
laptop I can't get Autopsy to see anything but the motherboard and the
CD itself. I have done two copies of the subject drive and will stop at
two for now. A 200 gig drive. TG, I already had some other small
floppy driven disk recovery tools to hand. I am still not quite sure
how to tell if a disconnected drive was accessed remotely without an
existing firewall log. Surely Windows keeps an internal record of
connections with foreign computers somewhere, but in which file?
Knowing the times of the deletions (an already more or less known fact),
brings me no closer to knowing how it was done.
More information about the list