Date: Tue Sep 13 03:10:39 2005
From: druid at stonedcoder.org (druid@...nedcoder.org)
Subject: Re: Forensics help?



On Mon, 12 Sep 2005, Red Leg wrote:

> Hey Thanks!
>
> Can I use the copy made by dd for the analysis? Specifically... 1)I want to
> go to the site,
This is outside the scope of my response, hehe

> 2)copy the drive,
This will allow you to make a copy of the hard drive

> 3)take the copy made back to my location,
yes

> 4) restore the data to another drive and mount it to an existing system and
> then
you should not need to restore to another drive, but rather mount the 
image, there are windows tools to do this and unixy ways to do this.

>5) forensically analyze the restored copy for deleted files.

This I do not know how to do outside of norton unerase, you will need a 
product

>
> Can I use your directions to accomplish that?
>

My directions will allow you to copy a drive and move that image off site 
for analysis.

--Druid

>
> On 9/12/05 1:29 AM, "druid@...nedcoder.org" <druid@...nedcoder.org> wrote:
>
>> Purchase? no. You can dd the drive and use a utility to recognize files
>> within the unallocated space, I just had to do this a couple nights ago
>> so:
>>
>> (on system you want to copy)
>> dd if=/dev/hda | nc otherhost 5000
>>
>> (on your lappy or whatever)
>> nc -l -p 5000 | dd of=./blah
>>
>> I was copying from one partition on an old disk to an unpartitioned space
>> on another disk in another machine, there are a bunch of ways of doing
>> this but that is a quick and dirty way of copying the readable data on a
>> drive to another location. You are on your own as far as finding deleted
>> files, but there are programs available. BTW you can mount that file like
>> a drive! Read the dd man page and remember "-" == stdin/stdout. I hope
>> this was useful, I just remembered you asked for a commercial solution for
>> this implying a lack of linux foo so if this is totally greek I appologize.
>>
>> BTW: nc == netcat, and you can use a similar trick with tar if you have no
>> need to find deleted files later. Useful for the sys admins out there, OR
>> use with ssh for a cheap and dirty crypted file transfer solution (but why
>> not just use scp..)
>>
>> --druid
>>
>> P.S. I am only sharing this because I just had to use this trick (and
>> failed with the dd btw but thats another issue entirely) and it is pretty
>> handy for moving data around using a boot cd and a NIC.
>>
>>>
>>> Message: 11
>>> Date: Sun, 11 Sep 2005 18:33:43 -0400
>>> From: Red Leg <redleg18@...il.com>
>>> Subject: [Full-disclosure] Forensic help?
>>> To: <full-disclosure@...ts.grok.org.uk>
>>> Message-ID: <BF4A2907.8BD0%redleg18@...il.com>
>>> Content-Type: text/plain; charset="US-ASCII"
>>>
>>>
>>> Hi all.
>>>
>>> I was wondering if anyone knows of a program/system that I can purchase, as
>>> a private individual, that will allow me to
>>>
>>> 1) mirror a hard drive on location and
>>>
>>> 2) take that mirror and restore it to another drive. And
>>>
>>> 3) Find any CONVENTIONALLY erased files?
>>>
>>> -- This would be either a Windows NTFS or FAT32 drive.
>>>
>>> Anyone have first hand experience? Please let me know, if you do. In ANY
>>> case, please suggest whatever you might have learned even without first hand
>>> experience.
>>>
>>> Thanks!
>>>
>>> Redleg18
>>>
>>>
>>>
>>>
>>> ------------------------------
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>> End of Full-Disclosure Digest, Vol 7, Issue 25
>>> **********************************************
>>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
>
>

Powered by blists - more mailing lists