±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35264
New Yesterday: 0 Visitors: 152

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

A day in the life of a Forensics Investigator

Discussion of computer forensics employment and career issues.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 
  

gmarshall139
Senior Member
 

Re: A day in the life of a Forensics Investigator

Post Posted: Oct 26, 05 12:23

- Wardy
Wouldn't it be more advisable to forensically copy the hard disk drive, clone it onto a drive with identical spec and use the clone to work from? The original evidence has never been tampered with, data recovery tools may still be ran.

If the court have concerns regarding the changing of evidence/tampering, by using a second clone drive, you could demonstrate your methods to the court without altering the original evidence!


I think this is possible, but you are open to more questions than are necessary. As you work from the clone you are altering it. I like to check and point out in my reports that the image I'm working from is a true image, both at the beginning of an analysis, and at it's conclusion. Otherwise you are pulling evidence off a clone that is not a true image from the moment you begin your analysis. You could mitigate this somewhat by attaching your clone via a write blocking device, but it will limit what functions you can perform on the drive and be more frustrating than fruitful.
_________________
Greg Marshall, EnCE 
 
  

zyborski
Member
 

Re: A day in the life of a Forensics Investigator

Post Posted: Oct 26, 05 17:19

In relation to data recovery.

In the 'truest' sense most forensic tools are not adequate for data recovery purpose, as they will only image the sectors that they can easily read (certainly true of Encase prior to V5 where one bad sector in 64 resulted in 64 dropped sectors). True data recovery tools work very differently to 'imaging' products.

Attempting data recovery techniques on a 'cloned' copy of the original MAY therefore result in missed data

just a thought.....  
 
  

Wardy
Senior Member
 

Re: A day in the life of a Forensics Investigator

Post Posted: Oct 27, 05 08:18

- zyborski
In relation to data recovery.

In the 'truest' sense most forensic tools are not adequate for data recovery purpose, as they will only image the sectors that they can easily read (certainly true of Encase prior to V5 where one bad sector in 64 resulted in 64 dropped sectors). True data recovery tools work very differently to 'imaging' products.

Attempting data recovery techniques on a 'cloned' copy of the original MAY therefore result in missed data

just a thought.....


You are absolutely right. I had based by answer upon the drive not suffering with bad sectors.  
 
  

RoboGeek
Member
 

Re: A day in the life of a Forensics Investigator

Post Posted: Oct 28, 05 21:16

Thats why I tried to narrow my answer specifically to data recovery situations where either the drive failed or the user tried to destroy it. There are issues with not only forensic software, but data recovery software.
_________________
I used to be a lifeguard, but some blue kid got me fired.

Business Network Solutions 
 

Page 2 of 2
Page Previous  1, 2