Re: [sleuthkit-users] Comparing two similar dd disk images
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Comparing two similar dd disk images
|
From: youcef b. <ybi...@ya...> - 2005-12-12 23:35:34
|
Hi, If you tell us what filesystem is in place and what OS/version was operating at the time that would help in shedding more light on the MAC time behaviour. regards youcef --- esrkq yahoo <es...@ya...> wrote: > Hi Angus, > > --- Angus Marshall <an...@n-...> wrote: > > > Not sure what you're telling us - are you saying > > that Drive A was imaged then > > allowed back into service as a "live" drive for 9 > > months before it was then > > copied to Drive B ? > > > Yes. That is what happened. The forensic examiner > turned up and imaged the server and then left (with > the image) but the drive remained and was put > straight > back into service. The idea being to create minimal > disruption to the company. > > > Either way, a correct imaging process would > preserve > > all timestamps and copy > > all data in unallocated space (slack, deleted > etc.). > > A file copy would > > usually result in modified timestamps (e.g. > creation > > dates would most likely > > change) and no copying of data in unallocated > space. > > Following your advice I've just had a look in > Autopsy > at the two filesystems to try and compare dates on > files. It is a mixed picture. Autopsy creates a > table in the 'file analysis' section that goes > Written Accessed Changed. > Comparing the two images a lot of directories ie > entries that are listed in Autopsy as a dot (.) or > double dot (..) have a newer Written date but many > of > the files in those directories retain their original > written date but have newer Accessed and Changed > dates. All a bit confusing really. One other weird > thing - many of the files on the original image have > a > 'Changed' date in Autopsy that is the same date that > I > happen to know is the same day that the disk was > imaged by the forensic examiner. I don't know what > the > Changed date represents in Autopsy - surely it is > the > same as the Written date ? But hang on, maybe the > written date in Autopsy is the original Creation > date > (which I thought was preserved if files are file > copied) and the changed date is the date of any > subsequent change to the file that is written to > disk. > > > All a bit complicated at this time of night :-) > > Thanks for your input. > > JP. > --- Angus Marshall <an...@n-...> wrote: > > > Not sure what you're telling us - are you saying > > that Drive A was imaged then > > allowed back into service as a "live" drive for 9 > > months before it was then > > copied to Drive B ? > > > > Either way, a correct imaging process would > preserve > > all timestamps and copy > > all data in unallocated space (slack, deleted > etc.). > > A file copy would > > usually result in modified timestamps (e.g. > creation > > dates would most likely > > change) and no copying of data in unallocated > space. > > Hence, if Drive B was > > "sterile" before the copy, there should be nothing > > visible/recoverable from > > unallocated and timestamps on the live files are > > probably incorrect, > > indicating a file copy process. On the other hand, > > if Drive B is an image of > > Drive A + 9 months live running, any interesting > > data in unallocated space > > could well have been overwritten during normal > > operation. > > > > I'd probably start by producing timelines for both > > drives and looking at the > > deleted files and creation stamps on the live > files. > > > > On Sunday 11 December 2005 17:47, esrkq yahoo > wrote: > > > Hi, > > > > > > This is a simple story but just need a few steps > > to > > > tell it so please bear with it :-) > > > > > > 1) Hard disk (call it Drive-A) is imaged in > approx > > > June 2003 by a forensic examiner and is subject > of > > a > > > forensic report. > > > > > > 2) March 2004 company that owned Drive-A goes > > bust. > > > > > > 3) March 2004, Drive-A is retrieved from company > > > offices and 'copied' (don't know whether a file > > copy > > > or imaged) onto a new hard drive (call it > > Drive-B). > > > > > > 4) April 2004 Drive-B is sent off to a different > > > forensic examiner and is again subject of a > > forensic > > > report. > > > > > > 5) I have Drive-A image (dd file) and Drive-B > > image > > > (dd file) on my computer. > > > > > > 6) Clearly much of the contents of Drive-A image > > is > > > also on Drive-B image since they have the same > > > heritage separated by about a 9 month time span > of > > > normal business activity. > > > > > > 7) However - it appears as though certain > relevant > > > files that were on Drive-A image are not present > > on > > > Drive-B image. In other words the second > forensic > > > examiner did not have the benefit of seeing > these > > > files as he examined Drive-B (although he must > > have > > > known they had existed as he read the report > > produced > > > by the first forensic examiner). > > > > > > 8) Using Autopsy/Sleuthkit I have searched high > > and > > > low for contents of these files on Drive-B image > > and > > > they can not be found in Allocated or > Unallocated > > > space. > > > > > > 9) To my mind this could be explained by: > > > a) The Drive-A to Drive-B copy was a 'file copy' > > > process rather than an imaging process AND the > > files > > > were deleted through normal housekeeping > processes > > > from Drive-A sometime before Drive-A was > 'copied' > > to > > > Drive-B AND therefore the contents of these > files > > > never hit the platters of Drive-B. If this were > > the > > > case then no suggestion of foul play. > > > > > > b) The Drive-A to Drive-B copy was an imaging > > process > > > rather than a file copying process AND the > > relevant > > > files in question were 'scrubbed' from Drive-B > > before > > > it was sent to the second forensic examiner and > > > therefore he never had the benefit of seeing > them. > > > The timeline produced by Autopsy/Sleuthkit shows > > > plenty of file activity going on after March > 2004 > > upto > > > early April 2004. > > > > > > The Big Question > > > Armed only with the information and material (dd > > > images) I already have (in other words without > > having > > > to ask any further questions) is there anyway > > (using > > > Autopsy/Sleuthkit) I can get an indication as to > > > whether the drive copy of Drive-A to Drive-B was > a > === message truncated === ___________________________________________________________ To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com |
