Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: Adliah
New Today: 0
New Yesterday: 0
Overall: 29360

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Swtor2credits Surper sale II for Thanksgiving:up to 10% off
 Senior Cyber Forensic Incident Response Consultant -Cambs UK
 A question for students and newbies
 E-DISCOVERY & DATA RECOVERY? WHICH ONE IS BETTER?
 Computer Forensic in e-commerce

Computer Forensics World Forums


Pages Served
We received
51302119
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Encase-Duplicate Copy question
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Encase-Duplicate Copy question

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Forensic Software and Tools
View previous topic :: View next topic  
Author Message
kmitconsult
Newbie
Newbie


Joined: Feb 10, 2015
Posts: 2

PostPosted: Wed Feb 11, 2015 1:53 am    Post subject: Encase-Duplicate Copy question Reply with quote

I am involved in a case dating back to a 2006 computer. I am not the forensic expert but helping out in some other areas.

The computer has two hard drives setup in a Raid 0 structure.

The State is required to create an identical copy of the drive(s) for their use and one for our use.

The State used Encase 5.05e for their initial examination.

The "identical" copy they created is on a single drive.

Other than the obvious of having one physical device versus two, what technical arguments can be made that the duplicate copy is NOT truly an identical copy?

People with an understanding of how encase creates a duplicate of two drives into one would be helpful.

Thanks.
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Wed Feb 11, 2015 3:16 am    Post subject: Reply with quote

Identical copy would be an identical copy of the data on the drive / drives. They should have created a hash of the drive prior to imaging it, and then hashed the image. If the hashes match, they are identical.
Back to top
View user's profile
kmitconsult
Newbie
Newbie


Joined: Feb 10, 2015
Posts: 2

PostPosted: Wed Feb 11, 2015 5:22 am    Post subject: Reply with quote

Thanks Cybercop. We will be checking the hashes for accuracy.

I was aware of some known issues in making copies when a hardware controller was in place. In this case, it was a software RAID.

Anybody that could think of any possible issues with a software Raid would be helpful (specifically related to Encase).
Back to top
View user's profile
cybercop
Newbie
Newbie


Joined: Nov 01, 2005
Posts: 551
Location: Marion, Indiana, USA

PostPosted: Wed Feb 11, 2015 5:41 am    Post subject: Reply with quote

Once again, if the hashes match, the data matches. If you are hinging your entire case on proving that the evidence that was collected should be tossed due to a technicality, you are probably going to be very disappointed. You would stand a better chance of proving that the system was infected with malware and the malware did the illegal activities than getting it tossed due to technicality.
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Wed Feb 11, 2015 11:51 am    Post subject: Reply with quote

Can you define "identical copy"? A forensically sound copy can take many forms.

As reference if you have two 500 GB drives an examiner could easily create forensic container files of each drive such as Expert Witness Format (EWF) typically seen as E01, E02, etc. or DD (a RAW format) seen as 001, 002, etc. and fit them on a single 1 TB drive.

Or the examiner could have mounted the RAID and created a logical copy of the RAID also on one drive.

Thus your "obvious" problem is not as big a problem as you perceive.
Back to top
View user's profile
athulin
Newbie
Newbie


Joined: Oct 19, 2007
Posts: 238

PostPosted: Thu Feb 12, 2015 1:47 am    Post subject: Re: Encase-Duplicate Copy question Reply with quote

kmitconsult wrote:
The "identical" copy they created is on a single drive.


The question, then, is what exactly did they copy? Are we talking about a RAID 1, in which HD A is copy of HD B, as far as user data is concerned, or is it some other RAID construction, and the copy was made 'above/after' the RAID level?

If this is a RAID 1, in which the RAID system reserves some sectors for internal purposes, you might find that you can image disk A and disk B all day long, and they will not be identical if you rely on hashes alone.
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Forensic Software and Tools All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.