Six Articles on Electronic - Craig Ball
Six Articles on Electronic - Craig Ball
Six Articles on Electronic - Craig Ball
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Craig</strong> <strong>Ball</strong> © 2007<br />
Now, copy the data from the thumb drive, floppy or optical media back to a Windows machine<br />
and the operating system has a bunch of empty metadata slots and pige<strong>on</strong>holes to fill. Not<br />
receiving a value for the jettis<strong>on</strong>ed system metadata, it simply makes something up! That is, it<br />
takes the last modified date and uses it to fill both the slot for last modified date and the slot for<br />
last accessed date. That's worse. So, if we can't copy a file by…copying it, what do we do?<br />
The answer is that you have to use tools and techniques designed to preserve system metadata<br />
or you must record the metadata values before you alter them by copying. Various tools and<br />
techniques exist to duplicate files <strong>on</strong> Windows systems without corrupting metadata. One that<br />
Windows users already own is Microsoft Windows Backup. If you have Windows XP Pro<br />
installed, you'll probably find Windows Backup in Accessories>System Tools. If you use<br />
Windows XP Home Editi<strong>on</strong>, Windows Backup wasn't automatically installed, but you can install<br />
it from valueadd/MSFT/ntbackup <strong>on</strong> your system CD.<br />
So far, we've talked <strong>on</strong>ly about copying a file and its system metadata. But each file comes<br />
from a complex envir<strong>on</strong>ment c<strong>on</strong>taining lots of data illuminating the origins, usage, manipulati<strong>on</strong><br />
and even destructi<strong>on</strong> of files. Some of this informati<strong>on</strong> is readily accessible to a user, some is<br />
locked by the operating system and much more is inaccessible to the operating system, lurking<br />
in obscure areas such as "unallocated clusters" and "slack space." When you copy a file and its<br />
metadata, all of this informati<strong>on</strong> is left behind. Even if you copy all the active files <strong>on</strong> the hard<br />
drive, you w<strong>on</strong>'t preserve the revealing latent data. To do that, you have to go deeper than the<br />
operating system and create a forensically sound copy.<br />
The classic definiti<strong>on</strong> of a forensically sound copy is that it's an authenticable duplicate of a<br />
storage medium by a method that doesn't alter the source and reflects or can reliably<br />
rec<strong>on</strong>struct every readable byte and sector of the source with nothing added, altered or omitted.<br />
It's a physical, rather than a logical duplicate of the original.<br />
A forensically sound copy may be termed a cl<strong>on</strong>e, drive image, bit stream duplicate, snapshot or<br />
mirror. As l<strong>on</strong>g as the copy is created in a way that preserves latent informati<strong>on</strong> and can be<br />
reliably authenticated, the name doesn't matter, though drive image denotes a duplicate where<br />
the c<strong>on</strong>tents of the drive are stored or compressed in <strong>on</strong>e or more files which can be<br />
rec<strong>on</strong>stituted as a forensically sound copy, and some use snapshot to mean a full system<br />
backup of a server that doesn't preserve latent data.<br />
Beware the misguided use of the Symantec Corp.'s Ghost or other off-the-shelf duplicati<strong>on</strong><br />
programs. Though it's possible to create a forensically sound drive cl<strong>on</strong>e with Ghost, I've never<br />
seen it d<strong>on</strong>e correctly in the wild. Instead, IT pers<strong>on</strong>nel invariably use Ghost in ways that d<strong>on</strong>'t<br />
preserve latent data and alter the original. Usually this flows from ignorance; occasi<strong>on</strong>ally, it's<br />
an intenti<strong>on</strong>al effort to frustrate forensic examinati<strong>on</strong>.<br />
There is no single approved way to create a forensically sound copy of a drive. Several<br />
hardware and software tools are well suited to the task, each with strengths and weaknesses.<br />
Notables include Guidance Software Inc.'s EnCase, the no-cost Linux "dd" (data dump) functi<strong>on</strong>,<br />
AccessData Corp.'s Forensic Toolkit, X-Ways Software Technology AG's X-Ways Forensics,<br />
Paraben Corp.'s Replicator and drive duplicati<strong>on</strong> devices from Intelligent Computer Soluti<strong>on</strong>s<br />
Inc. and Logicube Inc. There are many different types of digital media out there, and a tool<br />
appropriate to <strong>on</strong>e may be incapable of duplicating another. You have to know what you're<br />
doing and select the correct applicati<strong>on</strong> for the job.<br />
109