Re: [Full-Disclosure] Reacting to a server compromise

[David Hayes <david.hayes@mci.com>]

Our old standby, "dd", is perfectly acceptable for making an image of
a hard drive to be used in court.  It's even the #1 choice of the FBI,
and accepted by U.S. federal courts.  From the trial court order on
admission of evidence in the case of Zacarias Moussaoui (the accused
20th hijacker of 9/11):

   Authentication

   The foundation of standby counsel's discovery requests regarding
   the computer and e-mail evidence rests upon their complaints
   regarding the "authentication" of the hard drives provided in
   discovery. "Authentication" in this context means the process of
   ensuring that the duplicate of the hard drive provided in discovery
   is an exact copy of what the FBI originally acquired. As FBI
   Supervisory Special Agent Dara Sewell explains in her attached
   affidavit, the FBI uses three different methods to duplicate or
   image a hard drive:

   (1) GNU/Linux routine dd command via Red Hat Linux 7.1 (hereafter
   "Linux dd");

   (2) Safeback version 2.18 imaging software by New Technologies
   (hereafter "Safeback");

   (3) Solitaire Forensics Kit, SFK-000A hand-held disk duplicator by
   Logicube, Inc.


http://notablecases.vaed.uscourts.gov/1:01-cr-00455/docs/68092/0.pdf

-- 
David Hayes    Network Security Operations Center     MCI Network Svcs
email: david.hayes@MCI.com      vnet: 777-7236     voice: 972-729-7236
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html