Mike Murr pointed me to his blog post Forensically Sound Duplicate. He suggests replacing this definition of a forensically sound duplicate with the one that follows.
"A 'forensically-sound' duplicate of a drive is, first and foremost, one created by a method which does not, in any way, alter any data on the drive being duplicated. Second, a forensically-sound duplicate must contain a copy of every bit, byte and sector of the source drive, including unallocated 'empty' space and slack space, precisely as such data appears on the source drive relative to the other data on the drive. Finally, a forensically-sound duplicate will not contain any data (except known filler characters) other than which was copied from the source drive."
This is Mike's replacement:
"A forensically sound duplicate is a complete and accurate representation of the source evidence. A forensically sound duplicate is obtained in a manner that may inherently (due to the acquistion tools, techniques, and process) alter the source evidence, but does not explicitly alter the source evidence. If data not directly contained in the source evidence is included in the duplicate, then the introduced data must be distinguishable from the representation of the source evidence. The use of the term complete refers to the components of the source evidence that are both relevant, and reasonably believed to be relevant."
I agree with the statement "A forensically sound duplicate is a complete and accurate representation of the source evidence." That is broad and still accurate enough to refer to hard drives, memory, or network traffic. I'm not comfortable with the alteration portion of the suggested definition.
Kamis, 03 Agustus 2006
Forensically Sound Evidence
Langganan:
Posting Komentar (Atom)
0 komentar:
Posting Komentar