[sleuthkit-users] Comparing two similar dd disk images
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] Comparing two similar dd disk images
|
From: esrkq y. <es...@ya...> - 2005-12-11 17:47:35
|
Hi, This is a simple story but just need a few steps to tell it so please bear with it :-) 1) Hard disk (call it Drive-A) is imaged in approx June 2003 by a forensic examiner and is subject of a forensic report. 2) March 2004 company that owned Drive-A goes bust. 3) March 2004, Drive-A is retrieved from company offices and 'copied' (don't know whether a file copy or imaged) onto a new hard drive (call it Drive-B). 4) April 2004 Drive-B is sent off to a different forensic examiner and is again subject of a forensic report. 5) I have Drive-A image (dd file) and Drive-B image (dd file) on my computer. 6) Clearly much of the contents of Drive-A image is also on Drive-B image since they have the same heritage separated by about a 9 month time span of normal business activity. 7) However - it appears as though certain relevant files that were on Drive-A image are not present on Drive-B image. In other words the second forensic examiner did not have the benefit of seeing these files as he examined Drive-B (although he must have known they had existed as he read the report produced by the first forensic examiner). 8) Using Autopsy/Sleuthkit I have searched high and low for contents of these files on Drive-B image and they can not be found in Allocated or Unallocated space. 9) To my mind this could be explained by: a) The Drive-A to Drive-B copy was a 'file copy' process rather than an imaging process AND the files were deleted through normal housekeeping processes from Drive-A sometime before Drive-A was 'copied' to Drive-B AND therefore the contents of these files never hit the platters of Drive-B. If this were the case then no suggestion of foul play. b) The Drive-A to Drive-B copy was an imaging process rather than a file copying process AND the relevant files in question were 'scrubbed' from Drive-B before it was sent to the second forensic examiner and therefore he never had the benefit of seeing them. The timeline produced by Autopsy/Sleuthkit shows plenty of file activity going on after March 2004 upto early April 2004. The Big Question Armed only with the information and material (dd images) I already have (in other words without having to ask any further questions) is there anyway (using Autopsy/Sleuthkit) I can get an indication as to whether the drive copy of Drive-A to Drive-B was a file copy process or an imaging process. Bear in mind that although the images represent much the same set of information they are in fact separated by 9 months normal business activity. Other Info ---------- The dd images are 'partition images' not whole disk images. I am neither a computer forensic expert or legal expert. I know the provenance of the Drive-B image can be called into question as the two forensic examiners effectively examined two different 'Documents' but it would still be great to know whether if was a file-copy process or imaging process. This is a civil action not criminal and the files that may have been scrubbed are to do with an accounting programme and a financial spreadsheet. Thanks in advance for any suggestions. Cheers, JP ___________________________________________________________ Yahoo! Exclusive Xmas Game, help Santa with his celebrity party - http://santas-christmas-party.yahoo.net/ |
