RE: tools used to examine a computer

From: H C (
Date: 02/20/03

  • Next message: "Secure NFS"
    Date: Thu, 20 Feb 2003 06:27:35 -0800 (PST)
    From: H C <>


    > Copying can change file properties as in MAC details
    > on the new system or the destination.

    In the post that you responded to with the above
    comment, I specifically stated:

    "If one collects the necessary info (ie, MAC times..."

    This is important b/c one should take care to preserve
    the MAC times on the "victim" system, as a copy
    operation will alter the last access time of the file.

    In addition, you are correct w/ regards to 'the new
    system or the destination'...the file properties will
    be 'changed'. Perhaps more correctly, they will be
    *created*, as the file you are copying to the
    destination most likely did not previously exist.

    > The MAC being changed is the problem.

    Not really. The issue you brought up was "chain of
    evidence" (though you have not really explained what
    you were referring to, nor have you described this
    "chain of evidence" does that differ from "chain
    of custody"?)...copying a file is going to change the
    MAC times on the "victim" system...we know that.

    Why don't we take a step back. I'll give you the
    opportunity to explain what you mean by "chain of
    evidence" and maybe that will clear up the issue a

    > The original email I was answering didn't discuss
    > documenting either or getting the MD5 signature.

    > DD will give a bit by bit copy which will give the
    > same MD5 signatures and is handy if the machine
    > cannot be rebooted.

    The issue of MD5 signatures is also true for copying,
    as well, either using the copy command, or using the
    "type" command, and piping the output over a socket.

    > The disk should be cloned before anything is done on
    > the machine as in copying files or anything.

    If the disk is cloned, you won't have to copy'll have cloned disk to work with.

    There is also two other issues to consider...

    1. Not every incident requires a full-out forensics
    investigation with the accompanying bit image of the
    suspect or 'victim' drive. The issue of whether or
    not an image needs to be made really depends on the
    policies of the organization. Several things need to
    be kept in mind...for example, many production systems
    measure downtime in hundreds or thousands of dollars
    per minute. In such cases, a great deal of volatile
    information can be collected from the 'victim' system
    in a forensically sound manner, and that information
    can be analyzed and used to make a decision as to
    whether or not to accept the expense of shutting down
    and imaging a system. Keep in mind, there are other
    costs besides downtime and lost transactions...there's
    any fees that have to be paid to
    contractors/consultants, etc.

    2. Evidence dynamics -> I'm going to take a page from
    Rob Lee and Eoghan Casey on this one...

    You're walking down the street, and as you pass a
    doorway, you step in something messy. You look down
    and see a puddle of blood, and a body in the doorway.
    You call the cops. The paramedics arrive, examine the
    body, attempt to revive the individual, and then cart
    them off to the hospital. Now, even if the 'victim'
    dies in the hospital, the cops are still able to
    investigate the crime, and ultimately the perp can be
    found and prosecuted.

    Now, map that to the digital world. Can it be done?
    Yes. Does every incident require an image to be made
    of the drive? Maybe not. Depends on the incident.
    But I would venture to say that no, not every incident
    requires that an image be made. In fact, in many
    cases, if the first technical step is to create an
    image, then a great deal of valuable data is lost the
    instant the system is shut down.

    Case in point...someone I once knew thought that a
    company system was being subject to misuse...he
    suspected that someone had installed SubSeven and was
    connecting to it to muck w/ the system. He shut the
    system down and waited for the consultant to come and
    make an image of the drive, and then analyze it. The
    consultant found some of the SubSeven files...but so
    what? They had no way of knowing if at the time the
    system was shut down, was SubSeven running? Was
    anyone connected to the server? All of that volatile
    information was lost as soon as the system was shut

    The key to examining a system isn't so much the tools
    as it is the methodology.

    Do you Yahoo!?
    Yahoo! Tax Center - forms, calculators, tips, more

    Relevant Pages

    • Re: Arp spoofing & dsniff
      ... MAC Duplicating. ... the victim computer has lost NO connectivity yet. ... The switch will ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    • Re: stripping the first byte from a binary file
      ... your process dies midway through copying the file, ... Renaming the file is atomic under Linux and Mac, ...
    • RE: tools used to examine a computer
      ... Copying can change file properties as in MAC details ... > I'm wrong but that damages the chain of evidence. ...
    • Re: new problem - networking is strange
      ... It is/was broken on my system since both of my network cards get random ... PCI address instead of MAC address. ... I was always wondering why it changes after copying the system. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
    • Re: Arp spoofing & dsniff
      ... > MAC duplicating makes sense if you also operate a DoS on the victim. ... Somehow I have a feeling that the author is wrong when he says that "Mac ... > switch to go back to hub mode. ... This list is provided by the SecurityFocus Security Intelligence Alert ...