Actually it should be address some of his dilemma. I've done some
forensics and few things were critical.

1) The original media must remain unchanged. (No exceptions to this
rule).

2) The copied data be as unchanged as possible, and you must be able to
prove the changes did not effect the evidence in any way. So the bits
that get flipped in the journal are OK if documented as to what caused
the flipping. Of course you need to explain it to a judge first so it
can be understood before doing it.

The courts will not normally pay for writing code to access the hard
disk, but they usually will allow the use of copies if the copies can be
shown to materially the same as the master.

Cheers,

Davidm

On Tue, 2003-08-05 at 04:48, Mike Starke wrote:
> Somehow I think this thread does not understand the
> author's dilema. It is important NO CHANGES occur
> during any forensics....dd, cat, cp,  mount, unmount,
> another drive, etc, etc...it all does not matter
> in a forensics case. 
> 
> Maybe he may be facing the (I'll get this spelling wrong, I'm sure)
> Heisenburg Uncertainty Principle?
> 
> v/r
> -mike
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
-- 
David IS Mandala
gpg fingerprint 8932 E7EF CCF5 1B8C 1B5C A92E C678 795E 45B2 D952
Phoenix, AZ (480) 460-7545 HP, (602) 741-1363 CP
http://www.them.com/~davidm/