Re: [sleuthkit-users] Comparing two similar dd disk images
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Comparing two similar dd disk images
|
From: esrkq y. <es...@ya...> - 2005-12-13 12:51:08
|
Many thanks to all who have replied. The original (drive-A) server os was Windows 2000 and the filesystem ntfs. The second image (drive-B)is also of an ntfs partition. Neither image contains the Windows 2000 System files which I believe resided on a separate boot partition. I've asked my friend about sending out the timelines but he is unwilling to (but thankyou for your kind offer Angus :). I have also learned of an additional complication - it appears as though the employee who copied the contents of Drive-A to Drive-B (2 months prior to Drive-B being handed over to the 2nd forensic examiner) had access to a tape backup system which I suppose he could have used. Also: Dave Gilbert Said -- > With some operating systems, I've seen > where Create dates of files copied part and parcel > with a folder (directory) copy were maintained and > only the folder (and it's two children, . and ..) > Create date changed. If all your folder > Create/Changed dates are the same, and their child > files are different and varied, that could indicate > a copy, folder by folder, depending on OS and media That is interesting Dave because this has definitely happened in this case. Many of the folder create/changed dates are the same (and newer) but the underlying files have retained their original dates. But, having said that - it is a mixed picture. I think Drive-B began life as a folder by folder copy but subsequently stuff was deleted and moved / copied around. This has led to a mixture of some files with their original dates and some with newer dates. As already stated by others, to really get to the bottom of it a deep review would be needed and at the moment it is probably not warranted. At the present time it is enough that the 'important files' that were on Drive-A are not on Drive-B and in the fist instance that requires an explanation from the other side. Just as an aside, I've been reading a bit about file slack space and I was wondering if Drive-B had originally been imaged from Drive-A (as opposed to file copied) the last cluster of many of the files would contain the same slack content as on Drive-A. If I could setup a test comparing the last cluster of each file between Drive-A and Drive-B and found a significantly high correlation between them would that provide a valid indicator suggesting Drive-B was imaged? Although I couldn't find a definitive source on the internet I gathered from what I did find that a file by file copy would not retain the slack content. Once again thanks for all the suggestions, JP ___________________________________________________________ To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com |
