[Dataloss] TN: Election Commission laptop harddrive found
Chris Walsh
chris at cwalsh.org
Sat Jan 19 05:19:24 UTC 2008
Sorry folks -- my sarcasm was not as overt as I thought when I made my
original comment.
I had in mind reading/writing via a raw device (to use UNIX parlance),
which would make your actions undetectable -- much as David is saying.
The Attrition folks have a rant on this subject -- http://attrition.org/dataloss/forensics.html
On Jan 18, 2008, at 2:38 PM, David C. Smith wrote:
> I am not sure about ghost, but it can be done with the unix dd
> command.
> It creates a forensically sound bit image of the source.
> http://www.forensicswiki.org/wiki/Dd. Dd images do hold up in court
> as
> evidence and you can use MD5 sums to prove changes were not made. You
> may also view the drive with write blockers like
> http://www.forensicswiki.org/index.php?title=Write_Blockers which
> would
> not alter the source drive.
More information about the Dataloss
mailing list