El mar, 07 de ene de 2003, a las 19:51 -0800, Blars decía que: > In article <1041995302.6379.49.camel@cartman.veeev.net> viv@veeev.com writes: > > i am looking for forensics tools that can be used in computer > > crime investigations, and am particularly interesting in a tool > > that provides raw drive (hard, floppy, CD, DVD, etc.) access in > > order to create complete and accurate drive images. > > Low level tools are no trick at all. If you are root or root has given > you access (recomended), you can use any normal tools (dd, grep, perl) > on the appropriate /dev/hd* or /dev/sd* . > > You can mount the filesystem read-only if you don't want to access > deleted files, etc. > As far as i know, when u do something like: dd if=/dev/org_dev of=/dev/dest_dev You are pasing through 2 interfaces u don't control, at least u don't have direct control of them. I am talking about the drivers of the devices, which can do some modifications of the data. A look to the drivers, driver_open() driver_close(), driver_read() and so on has to be done to fully understand what they are doing with the data, not to mention the hardware functionality implemented by the hardware, like error checking and other things. I have never look at any hard disk driver but i think u will have to do it if u want to be sure. Maybe u can disable some hardware functionality with some IOCTL. -- Alberto Cortés Martín | Ing. en Telecomunicación email: alcortes@coitt.es | Universidad Carlos III Jabber y MSN: alcortes43 | Madrid ICQ#: 101088159 | Spain url: http://montoya.aig.uc3m.es/~acortes/index.html 1A8B 0FE6 2094 8E48 38A2 7785 03CD 07CD 6CA4 E242
Attachment:
pgp3Q3DtgosxC.pgp
Description: PGP signature