lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BF4B06E3.8C1A%redleg18@gmail.com>
Date: Mon Sep 12 15:20:53 2005
From: redleg18 at gmail.com (Red Leg)
Subject: Re: Forensics help?

Hey Thanks!

Can I use the copy made by dd for the analysis? Specifically... 1)I want to
go to the site, 2)copy the drive, 3)take the copy made back to my location,
4) restore the data to another drive and mount it to an existing system and
then 5) forensically analyze the restored copy for deleted files.

Can I use your directions to accomplish that?


On 9/12/05 1:29 AM, "druid@...nedcoder.org" <druid@...nedcoder.org> wrote:

> Purchase? no. You can dd the drive and use a utility to recognize files
> within the unallocated space, I just had to do this a couple nights ago
> so:
> 
> (on system you want to copy)
> dd if=/dev/hda | nc otherhost 5000
> 
> (on your lappy or whatever)
> nc -l -p 5000 | dd of=./blah
> 
> I was copying from one partition on an old disk to an unpartitioned space
> on another disk in another machine, there are a bunch of ways of doing
> this but that is a quick and dirty way of copying the readable data on a
> drive to another location. You are on your own as far as finding deleted
> files, but there are programs available. BTW you can mount that file like
> a drive! Read the dd man page and remember "-" == stdin/stdout. I hope
> this was useful, I just remembered you asked for a commercial solution for
> this implying a lack of linux foo so if this is totally greek I appologize.
> 
> BTW: nc == netcat, and you can use a similar trick with tar if you have no
> need to find deleted files later. Useful for the sys admins out there, OR
> use with ssh for a cheap and dirty crypted file transfer solution (but why
> not just use scp..)
> 
> --druid
> 
> P.S. I am only sharing this because I just had to use this trick (and
> failed with the dd btw but thats another issue entirely) and it is pretty
> handy for moving data around using a boot cd and a NIC.
> 
>> 
>> Message: 11
>> Date: Sun, 11 Sep 2005 18:33:43 -0400
>> From: Red Leg <redleg18@...il.com>
>> Subject: [Full-disclosure] Forensic help?
>> To: <full-disclosure@...ts.grok.org.uk>
>> Message-ID: <BF4A2907.8BD0%redleg18@...il.com>
>> Content-Type: text/plain; charset="US-ASCII"
>> 
>> 
>> Hi all.
>> 
>> I was wondering if anyone knows of a program/system that I can purchase, as
>> a private individual, that will allow me to
>> 
>> 1) mirror a hard drive on location and
>> 
>> 2) take that mirror and restore it to another drive. And
>> 
>> 3) Find any CONVENTIONALLY erased files?
>> 
>> -- This would be either a Windows NTFS or FAT32 drive.
>> 
>> Anyone have first hand experience? Please let me know, if you do. In ANY
>> case, please suggest whatever you might have learned even without first hand
>> experience.
>> 
>> Thanks!
>> 
>> Redleg18
>> 
>> 
>> 
>> 
>> ------------------------------
>> 
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>> 
>> End of Full-Disclosure Digest, Vol 7, Issue 25
>> **********************************************
>> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ