News   GLOBAL  |  Apr 02, 2020
 9.7K     0 
News   GLOBAL  |  Apr 01, 2020
 41K     0 
News   GLOBAL  |  Apr 01, 2020
 5.5K     0 

Status
Not open for further replies.
Good point, but modern Windows OS's don't update NTFS file access times any more (for performance reasons). However, other things can happen when a drive is mounted (e.g. Recycle Bin might be created for the current user.) Personally, I would use "dd" under Linux to make a byte-for-byte copy of the drive, without mounting any partitions. I wouldn't risk connecting the original drive to a Windows PC, because of auto-mounting and the possibility of writing to the drive and overwriting data (as you said).

According to a computer security guy I spoke to at length once, it is absolutely essential under the commonly accepted rules for evidence that no changes whatsoever be made to the original disk. Doing so means that it's basically inadmissable for evidence.

Labs have specialized hardware that you hook your drive up to and it automatically makes a bit for bit copy of everything on a new drive, while preventing writes to the drive at the lowest level, so you can document that you've never made any changes to any information on there.

Then you use your forensics software to examine the information on the drive image and do whatever to it.
 
Just got this email blast from Mihevc:

Friends,

This is a sad day for the City of Toronto. As a Torontonian, and as a City Councillor for more than 20 years, it pains me to see the City of Toronto in the situation we currently face, and to see Council and the City of Toronto cast in this light on national television.

It is very unfortunate that the City and its residents have once again been thrown into such a state of uncertainty.

The Mayor of Toronto has a profound credibility problem. He is going to have to face Torontonians, and Council.

Our City deserves better.

Sincerely,

Councillor Joe Mihevc

This is b.s. As a lefty Mihevc must be absolutely ecstatic today and he expects us to believe that this "pains him".
 
This is interesting:

nEVILle park ‏@neville_park 5m

Anyway, I thought that was interesting. The police add that he's clearly trying to use his influence to get confidential info. #RFpoli

nEVILle park ‏@neville_park 7m

The plate # he took down was 1 letter off (surely a mistake) from the one following him, Lisi & Mandalero a few days before. #RFpoli

nEVILle park ‏@neville_park 7m

…but the police can't give it out because it's confidential. Ford gets mad, makes no further attempt to follow up w/cops. #RFpoli

nEVILle park ‏@neville_park 9m

The Mayor's staff and the police play phone tag a lot. The Mayor wants the registration info for the plate number he took down… #RFpoli

AoD
 
This is b.s. As a lefty Mihevc must be absolutely ecstatic today and he expects us to believe that this "pains him".

I don't know if you noticed, but he's been a city councillor for 20 years. Do you really think he held the job for so long because he dislikes the City of Toronto? You really think he's happy for the City that this shit is happening?
 
According to a computer security guy I spoke to at length once, it is absolutely essential under the commonly accepted rules for evidence that no changes whatsoever be made to the original disk. Doing so means that it's basically inadmissable for evidence.

Labs have specialized hardware that you hook your drive up to and it automatically makes a bit for bit copy of everything on a new drive, while preventing writes to the drive at the lowest level, so you can document that you've never made any changes to any information on there.

Then you use your forensics software to examine the information on the drive image and do whatever to it.

Yeah, makes sense that the law would require a much higher standard for preventing changes the original evidence. What I described would be okay for recovering someone's funny cat pics (on the cheap), but not for recovering evidence to be used in a criminal trial.
 
Status
Not open for further replies.

Back
Top