Re: [sleuthkit-users] Comparing two similar dd disk images
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Comparing two similar dd disk images
|
From: esrkq y. <es...@ya...> - 2005-12-12 00:24:15
|
Hi Angus, --- Angus Marshall <an...@n-...> wrote: > Not sure what you're telling us - are you saying > that Drive A was imaged then > allowed back into service as a "live" drive for 9 > months before it was then > copied to Drive B ? > Yes. That is what happened. The forensic examiner turned up and imaged the server and then left (with the image) but the drive remained and was put straight back into service. The idea being to create minimal disruption to the company. > Either way, a correct imaging process would preserve > all timestamps and copy > all data in unallocated space (slack, deleted etc.). > A file copy would > usually result in modified timestamps (e.g. creation > dates would most likely > change) and no copying of data in unallocated space. Following your advice I've just had a look in Autopsy at the two filesystems to try and compare dates on files. It is a mixed picture. Autopsy creates a table in the 'file analysis' section that goes Written Accessed Changed. Comparing the two images a lot of directories ie entries that are listed in Autopsy as a dot (.) or double dot (..) have a newer Written date but many of the files in those directories retain their original written date but have newer Accessed and Changed dates. All a bit confusing really. One other weird thing - many of the files on the original image have a 'Changed' date in Autopsy that is the same date that I happen to know is the same day that the disk was imaged by the forensic examiner. I don't know what the Changed date represents in Autopsy - surely it is the same as the Written date ? But hang on, maybe the written date in Autopsy is the original Creation date (which I thought was preserved if files are file copied) and the changed date is the date of any subsequent change to the file that is written to disk. All a bit complicated at this time of night :-) Thanks for your input. JP. --- Angus Marshall <an...@n-...> wrote: > Not sure what you're telling us - are you saying > that Drive A was imaged then > allowed back into service as a "live" drive for 9 > months before it was then > copied to Drive B ? > > Either way, a correct imaging process would preserve > all timestamps and copy > all data in unallocated space (slack, deleted etc.). > A file copy would > usually result in modified timestamps (e.g. creation > dates would most likely > change) and no copying of data in unallocated space. > Hence, if Drive B was > "sterile" before the copy, there should be nothing > visible/recoverable from > unallocated and timestamps on the live files are > probably incorrect, > indicating a file copy process. On the other hand, > if Drive B is an image of > Drive A + 9 months live running, any interesting > data in unallocated space > could well have been overwritten during normal > operation. > > I'd probably start by producing timelines for both > drives and looking at the > deleted files and creation stamps on the live files. > > On Sunday 11 December 2005 17:47, esrkq yahoo wrote: > > Hi, > > > > This is a simple story but just need a few steps > to > > tell it so please bear with it :-) > > > > 1) Hard disk (call it Drive-A) is imaged in approx > > June 2003 by a forensic examiner and is subject of > a > > forensic report. > > > > 2) March 2004 company that owned Drive-A goes > bust. > > > > 3) March 2004, Drive-A is retrieved from company > > offices and 'copied' (don't know whether a file > copy > > or imaged) onto a new hard drive (call it > Drive-B). > > > > 4) April 2004 Drive-B is sent off to a different > > forensic examiner and is again subject of a > forensic > > report. > > > > 5) I have Drive-A image (dd file) and Drive-B > image > > (dd file) on my computer. > > > > 6) Clearly much of the contents of Drive-A image > is > > also on Drive-B image since they have the same > > heritage separated by about a 9 month time span of > > normal business activity. > > > > 7) However - it appears as though certain relevant > > files that were on Drive-A image are not present > on > > Drive-B image. In other words the second forensic > > examiner did not have the benefit of seeing these > > files as he examined Drive-B (although he must > have > > known they had existed as he read the report > produced > > by the first forensic examiner). > > > > 8) Using Autopsy/Sleuthkit I have searched high > and > > low for contents of these files on Drive-B image > and > > they can not be found in Allocated or Unallocated > > space. > > > > 9) To my mind this could be explained by: > > a) The Drive-A to Drive-B copy was a 'file copy' > > process rather than an imaging process AND the > files > > were deleted through normal housekeeping processes > > from Drive-A sometime before Drive-A was 'copied' > to > > Drive-B AND therefore the contents of these files > > never hit the platters of Drive-B. If this were > the > > case then no suggestion of foul play. > > > > b) The Drive-A to Drive-B copy was an imaging > process > > rather than a file copying process AND the > relevant > > files in question were 'scrubbed' from Drive-B > before > > it was sent to the second forensic examiner and > > therefore he never had the benefit of seeing them. > > The timeline produced by Autopsy/Sleuthkit shows > > plenty of file activity going on after March 2004 > upto > > early April 2004. > > > > The Big Question > > Armed only with the information and material (dd > > images) I already have (in other words without > having > > to ask any further questions) is there anyway > (using > > Autopsy/Sleuthkit) I can get an indication as to > > whether the drive copy of Drive-A to Drive-B was a > > file copy process or an imaging process. Bear in > mind > > that although the images represent much the same > set > > of information they are in fact separated by 9 > months > > normal business activity. > > > > Other Info > > ---------- > > The dd images are 'partition images' not whole > disk > > images. > > I am neither a computer forensic expert or legal > > expert. > > > > I know the provenance of the Drive-B image can be > > called into question as the two forensic examiners > > effectively examined two different 'Documents' but > it > > would still be great to know whether if was a > > file-copy process or imaging process. > > > > This is a civil action not criminal and the files > that > > may have been scrubbed are to do with an > accounting > > programme and a financial spreadsheet. > > > > Thanks in advance for any suggestions. > > > > Cheers, > > JP > > > > > > > > > > > > > > > ___________________________________________________________ > > Yahoo! Exclusive Xmas Game, help Santa with his > celebrity party - > > http://santas-christmas-party.yahoo.net/ > > > > > > > ------------------------------------------------------- > > This SF.net email is sponsored by: Splunk Inc. Do > you grep through log > > files for problems? Stop! Download the new AJAX > search engine that makes > > searching your log files as easy as surfing the > web. DOWNLOAD SPLUNK! > > > http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click > > _______________________________________________ > > sleuthkit-users mailing list > > > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > > http://www.sleuthkit.org > > > ------------------------------------------------------- > This SF.net email is sponsored by: Splunk Inc. Do > you grep through log files > for problems? Stop! Download the new AJAX search > engine that makes > searching your log files as easy as surfing the > web. DOWNLOAD SPLUNK! > http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click > _______________________________________________ > sleuthkit-users mailing list > https://lists.sourceforge.net/lists/listinfo/sleuthkit-users > http://www.sleuthkit.org > ___________________________________________________________ To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com |
