lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue Sep 13 06:42:24 2005
From: fd at ew.nsci.us (fd@...nsci.us)
Subject: Re: Forensics help?

On Mon, 12 Sep 2005 druid@...nedcoder.org wrote:

> 
> 
> On Mon, 12 Sep 2005, Red Leg wrote:
> >5) forensically analyze the restored copy for deleted files.
> 
> This I do not know how to do outside of norton unerase, you will need a 
> product

http://linux-ntfs.sourceforge.net/ has a great set of tools like undelete
for ntfs on block devices (and loopbacks?).  The undelete works especially
well with a little bit of shellfoo.

-Eric

> >
> > On 9/12/05 1:29 AM, "druid@...nedcoder.org" <druid@...nedcoder.org> wrote:
> >
> >> Purchase? no. You can dd the drive and use a utility to recognize files
> >> within the unallocated space, I just had to do this a couple nights ago
> >> so:
> >>
> >> (on system you want to copy)
> >> dd if=/dev/hda | nc otherhost 5000
> >>
> >> (on your lappy or whatever)
> >> nc -l -p 5000 | dd of=./blah
> >>
> >> I was copying from one partition on an old disk to an unpartitioned space
> >> on another disk in another machine, there are a bunch of ways of doing
> >> this but that is a quick and dirty way of copying the readable data on a
> >> drive to another location. You are on your own as far as finding deleted
> >> files, but there are programs available. BTW you can mount that file like
> >> a drive! Read the dd man page and remember "-" == stdin/stdout. I hope
> >> this was useful, I just remembered you asked for a commercial solution for
> >> this implying a lack of linux foo so if this is totally greek I appologize.
> >>
> >> BTW: nc == netcat, and you can use a similar trick with tar if you have no
> >> need to find deleted files later. Useful for the sys admins out there, OR
> >> use with ssh for a cheap and dirty crypted file transfer solution (but why
> >> not just use scp..)
> >>
> >> --druid
> >>
> >> P.S. I am only sharing this because I just had to use this trick (and
> >> failed with the dd btw but thats another issue entirely) and it is pretty
> >> handy for moving data around using a boot cd and a NIC.
> >>
> >>>
> >>> Message: 11
> >>> Date: Sun, 11 Sep 2005 18:33:43 -0400
> >>> From: Red Leg <redleg18@...il.com>
> >>> Subject: [Full-disclosure] Forensic help?
> >>> To: <full-disclosure@...ts.grok.org.uk>
> >>> Message-ID: <BF4A2907.8BD0%redleg18@...il.com>
> >>> Content-Type: text/plain; charset="US-ASCII"
> >>>
> >>>
> >>> Hi all.
> >>>
> >>> I was wondering if anyone knows of a program/system that I can purchase, as
> >>> a private individual, that will allow me to
> >>>
> >>> 1) mirror a hard drive on location and
> >>>
> >>> 2) take that mirror and restore it to another drive. And
> >>>
> >>> 3) Find any CONVENTIONALLY erased files?
> >>>
> >>> -- This would be either a Windows NTFS or FAT32 drive.
> >>>
> >>> Anyone have first hand experience? Please let me know, if you do. In ANY
> >>> case, please suggest whatever you might have learned even without first hand
> >>> experience.
> >>>
> >>> Thanks!
> >>>
> >>> Redleg18
> >>>
> >>>
> >>>
> >>>
> >>> ------------------------------
> >>>
> >>> _______________________________________________
> >>> Full-Disclosure - We believe in it.
> >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >>> Hosted and sponsored by Secunia - http://secunia.com/
> >>>
> >>> End of Full-Disclosure Digest, Vol 7, Issue 25
> >>> **********************************************
> >>>
> >> _______________________________________________
> >> Full-Disclosure - We believe in it.
> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> Hosted and sponsored by Secunia - http://secunia.com/
> >>
> >
> >
> >
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
> 
> 

-- 
Eric Wheeler
Vice President
National Security Concepts, Inc.
PO Box 3567
Tualatin, OR 97062

http://www.nsci.us/
Voice: (503) 293-7656
Fax:   (503) 885-0770

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ