> On Fri, 2010-06-04 at 13:09 -0700, Tim Garlick wrote: > > Hi all, I need a Live CD that I can boot from to > investigate Solaris 10 and OpenSolaris systems that > have been potentially compromised. The target OS is > Solaris 10. This is complicated by the fact that the > Solaris 10 system being investigated is a VirtualBox > instance of S10 Update 8. I mount the Live CD ISO on > the VM's virtual CD drive and then boot from that. > > > > I've tried MilaX but I can't figure out how to > mount the Solaris 10 root disk after I've booted to a > text console with MilaX. VirtualBox doesn't display > the graphics correctly when you boot the MilaX ISO in > graphical mode. I haven't tried the VBox MilaX > appliance yet, because that gives me a separate VM, > when I need to get to the S10 VM. > > > > So, my questions are: > > > > - Is MilaX the best choice? > > - If not, which distro is better? > > - Either way, how do I mount the S10U8 VM's root > disk once I've booted the Live CD? > > > > Thanks for any pointers. > Hi Tim, > you can use 'format' utility to find disk name and > root partition,then > mount it. > For this you can use any OpenSolaris/Belenix/MilaX > LiveCD. > > Also you can find and mount all UFS part's: > > #!/bin/sh > > solaris=0 > for dnode in /dev/dsk/* > do > type=`/usr/sbin/fstyp $dnode 2> /dev/null` > f [ "x$type" = "xufs" ] > then > /usr/bin/mkdir /mnt/solaris$solaris > /sbin/mount -F $type $dnode > /mnt/solaris$solaris > fi > done
Although if they're serious about forensics use, they'd need to use /sbin/mount -F $type -o ro $dnode because you absolutely positively do not want to mess with the evidence. (better would be to have a copy of the disk or disk image made and work on that, never touching the original at all, unless getting into high-end data recovery on it) -- This message posted from opensolaris.org _______________________________________________ distribution-discuss mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/distribution-discuss
