[Dshield] Forensics and hard drives

Kenneth Coney superc at visuallink.com
Thu Apr 12 15:05:52 GMT 2007

Yes, the disk was cloned   Found a nice free program to do that with.  
Not being an ancient Unix person, I didn't know about Linux and dd then, 
but did know a bit about forensic principles.  Even went to school to 
learn it back in the early days of Windows 3.0.  Kind of a shock to 
learn DOS won't work on NFTS.  Forced me to get Helix (690+ Megs, 
getting it took several days on dial up) and wade through gobs of Linux 
'how to' not so well written manuals.  Still reading and trying to make 
sense.  I am gathering I want to type a variation of '/mount hda' if I 
want Helix to see the suspect drive, but so far playing with a spare 
laptop I can't get Autopsy to see anything but the motherboard and the 
CD itself.  I have done two copies of the subject drive and will stop at 
two for now.  A 200 gig drive.  TG, I already had some other small 
floppy driven disk recovery tools to hand.  I am still not quite sure 
how to tell if a disconnected drive was accessed remotely without an 
existing firewall log.  Surely Windows keeps an internal record of 
connections with foreign computers somewhere, but in which file?  
Knowing the times of the deletions (an already more or less known fact), 
brings me no closer to knowing how it was done. 

More information about the list mailing list