[prev in list] [next in list] [prev in thread] [next in thread] 

List:       forensics
Subject:    RE: Linux, dd, and image file
From:       "Altheide, Cory B." <AltheideC () nv ! doe ! gov>
Date:       2003-04-04 16:55:46
[Download RAW message or body]

> -----Original Message-----
> From: Stephen Samuel [mailto:samuel@bcgreen.com] 
> Sent: Thursday, April 03, 2003 10:30 AM
> To: forensics@securityfocus.com; jcreyes@007mundo.com
> Subject: Re: Linux, dd, and image file
> 
> 
> One problem with imaging each partition is that you may miss 
> some pertinent information.  The partitions don't always 
> encompas the entire disk, and a knowledgable intruder might 
> store info in the inter-partition spaces. (one example 
> includes a recent to-do about some Windows Tax software that 
> stored copy-protection information in unused portions of the 
> boot track)
> 

A knowledgable investigator might image the inter-partition spaces (and
pre-/post-partition spaces), as well as the partitions. :)

Cory Altheide
Computer Forensics Specialist
NCI Information Systems, Inc.
NNSA Cyber Forensics Center
altheidec@nv.doe.gov


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

[prev in list] [next in list] [prev in thread] [next in thread]