Re: [sleuthkit-users] Comparing two similar dd disk images
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Comparing two similar dd disk images
|
From: Rich T. <te...@ap...> - 2005-12-12 00:03:24
|
See my comments marked in - Sopunds interesting- keep us posted on your progress I'd love to know what you find. Rich Thompson www.apfor.com esrkq yahoo <es...@ya...> wrote: Hi, This is a simple story but just need a few steps to tell it so please bear with it :-) 1) Hard disk (call it Drive-A) is imaged in approx June 2003 by a forensic examiner and is subject of a forensic report. 2) March 2004 company that owned Drive-A goes bust. WAS Drive-A put back in use after the original image??? From description of the case, it sounds like maybe it was. b) The Drive-A to Drive-B copy was an imaging process rather than a file copying process AND the relevant files in question were 'scrubbed' from Drive-B before it was sent to the second forensic examiner and therefore he never had the benefit of seeing them. The timeline produced by Autopsy/Sleuthkit shows plenty of file activity going on after March 2004 upto early April 2004. - I was going to say look for files prior to March 2004. Sounds like a file copy process, since that would make the create date on some files, the day they were copied. The Big Question Armed only with the information and material (dd images) I already have (in other words without having to ask any further questions) is there anyway (using Autopsy/Sleuthkit) I can get an indication as to whether the drive copy of Drive-A to Drive-B was a file copy process or an imaging process. Bear in mind that although the images represent much the same set of information they are in fact separated by 9 months normal business activity. Other Info ---------- The dd images are 'partition images' not whole disk images. - so no Images of the entire drive, or at least an MD% of the entire drive (a or b)?? I am neither a computer forensic expert or legal expert. I know the provenance of the Drive-B image can be called into question as the two forensic examiners effectively examined two different 'Documents' but it would still be great to know whether if was a file-copy process or imaging process. This is a civil action not criminal and the files that may have been scrubbed are to do with an accounting programme and a financial spreadsheet. - do you know the MD5 of the file in question? If that can be established you can at least prove they were looking at the same file (if you could find it) Thanks in advance for any suggestions. Cheers, JP ___________________________________________________________ Yahoo! Exclusive Xmas Game, help Santa with his celebrity party - http://santas-christmas-party.yahoo.net/ ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click _______________________________________________ sleuthkit-users mailing list https://lists.sourceforge.net/lists/listinfo/sleuthkit-users http://www.sleuthkit.org |
