Re: [sleuthkit-users] Comparing two similar dd disk images
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Comparing two similar dd disk images
|
From: Angus M. <an...@n-...> - 2005-12-11 19:54:06
|
Not sure what you're telling us - are you saying that Drive A was imaged then allowed back into service as a "live" drive for 9 months before it was then copied to Drive B ? Either way, a correct imaging process would preserve all timestamps and copy all data in unallocated space (slack, deleted etc.). A file copy would usually result in modified timestamps (e.g. creation dates would most likely change) and no copying of data in unallocated space. Hence, if Drive B was "sterile" before the copy, there should be nothing visible/recoverable from unallocated and timestamps on the live files are probably incorrect, indicating a file copy process. On the other hand, if Drive B is an image of Drive A + 9 months live running, any interesting data in unallocated space could well have been overwritten during normal operation. I'd probably start by producing timelines for both drives and looking at the deleted files and creation stamps on the live files. On Sunday 11 December 2005 17:47, esrkq yahoo wrote: > Hi, > > This is a simple story but just need a few steps to > tell it so please bear with it :-) > > 1) Hard disk (call it Drive-A) is imaged in approx > June 2003 by a forensic examiner and is subject of a > forensic report. > > 2) March 2004 company that owned Drive-A goes bust. > > 3) March 2004, Drive-A is retrieved from company > offices and 'copied' (don't know whether a file copy > or imaged) onto a new hard drive (call it Drive-B). > > 4) April 2004 Drive-B is sent off to a different > forensic examiner and is again subject of a forensic > report. > > 5) I have Drive-A image (dd file) and Drive-B image > (dd file) on my computer. > > 6) Clearly much of the contents of Drive-A image is > also on Drive-B image since they have the same > heritage separated by about a 9 month time span of > normal business activity. > > 7) However - it appears as though certain relevant > files that were on Drive-A image are not present on > Drive-B image. In other words the second forensic > examiner did not have the benefit of seeing these > files as he examined Drive-B (although he must have > known they had existed as he read the report produced > by the first forensic examiner). > > 8) Using Autopsy/Sleuthkit I have searched high and > low for contents of these files on Drive-B image and > they can not be found in Allocated or Unallocated > space. > > 9) To my mind this could be explained by: > a) The Drive-A to Drive-B copy was a 'file copy' > process rather than an imaging process AND the files > were deleted through normal housekeeping processes > from Drive-A sometime before Drive-A was 'copied' to > Drive-B AND therefore the contents of these files > never hit the platters of Drive-B. If this were the > case then no suggestion of foul play. > > b) The Drive-A to Drive-B copy was an imaging process > rather than a file copying process AND the relevant > files in question were 'scrubbed' from Drive-B before > it was sent to the second forensic examiner and > therefore he never had the benefit of seeing them. > The timeline produced by Autopsy/Sleuthkit shows > plenty of file activity going on after March 2004 upto > early April 2004. > > The Big Question > Armed only with the information and material (dd > images) I already have (in other words without having > to ask any further questions) is there anyway (using > Autopsy/Sleuthkit) I can get an indication as to > whether the drive copy of Drive-A to Drive-B was a > file copy process or an imaging process. Bear in mind > that although the images represent much the same set > of information they are in fact separated by 9 months > normal business activity. > > Other Info > ---------- > The dd images are 'partition images' not whole disk > images. > I am neither a computer forensic expert or legal > expert. > > I know the provenance of the Drive-B image can be > called into question as the two forensic examiners > effectively examined two different 'Documents' but it > would still be great to know whether if was a > file-copy process or imaging process. > > This is a civil action not criminal and the files that > may have been scrubbed are to do with an accounting > programme and a financial spreadsheet. > > Thanks in advance for any suggestions. > > Cheers, > JP > > > > > > > ___________________________________________________________ > Yahoo! Exclusive Xmas Game, help Santa with his celebrity party - > http://santas-christmas-party.yahoo.net/ > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do you grep through log > files for problems? Stop! Download the new AJAX search engine that makes > searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! > http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org |
