EXECUTIVE SUMMARY
This paper highlights an oversight in the current industry best practice procedure for forensically duplicating a hard disk. A discussion is provided which demonstrates that although the forensic duplication process may not directly modify data on the evidence hard disk, a hard disk will usually modify itself during the forensic duplication process.
The paper highlights some consequences, for example that an attacker who has compromised the computer containing the hard disk can programmatically detect that the hard disk has been forensically duplicated, or otherwise powered on and accessed via a mechanism other than via the operating system installed on the hard disk.
Suggestions are provided to help minimise the changes made to the hard disk during the forensic duplication process. These suggestions minimise the likelihood that an attacker will notice the system administrator or forensic analyst performing an investigation of the suspected compromised computer.
INTRODUCTION
Imagine the following scenario. You are the system administrator of a computer network, and you believe that a user's computer has been compromised. The attacker may have complete control over the computer including the use of a back door communication mechanism. The back door allows the attacker to notice in realtime any behaviour on the computer indicating that the attacker's presence is known to the system administrator.
You want to monitor the attacker to determine what actions they are performing and thereby gain an insight into the scope of the compromise and the initial vulnerability exploited by the attacker, but you need to investigate the apparent security incident without tipping off the attacker. Therefore you refrain from manually running programs such as root kit identification software, process listing utilities, netstat and other volatile information gathering programs. You resist the temptation to immediately turn the computer off since the attacker would notice this obvious action, and consider it suspicious that the computer was powered off before the close of business. You decide to wait until the end of the working day before taking a forensic copy of the computer's hard disk to subsequently analyse the duplicate for evidence of a compromise.
You power off the computer, remove the hard disk and make a forensically sound duplicate using software such as dd or a purpose built hardware forensic duplicator, using MD5 or a similar hashing function to ensure that you don't modify any data on the hard disk. You replace the original hard disk back in the user's computer, and allow the user to continue using their computer the following day. In the meantime you begin performing forensic analysis of the duplicate copy of the hard disk. You also install a separate computer to capture network traffic sent to and received from the suspected compromised computer.
You have followed the current industry best practice procedure for forensically duplicating a hard disk, so there is no way that the attacker can detect that you have taken a copy of the hard disk and you are thereby aware of the attacker's presence - right? WRONG!
Membership:
Latest: 
New Today: 0
New Yesterday: 13
Overall: 20808
Members: 1
Visitors: 16
Staff: 0
Forensic Technology Preview Day 2011 - Germany