On Mon, 12 Sep 2005, Red Leg wrote:
Hey Thanks!
Can I use the copy made by dd for the analysis? Specifically... 1)I want to
go to the site,
This is outside the scope of my response, hehe
2)copy the drive,
This will allow you to make a copy of the hard drive
3)take the copy made back to my location,
yes
4) restore the data to another drive and mount it to an existing system and
then
you should not need to restore to another drive, but rather mount the
image, there are windows tools to do this and unixy ways to do this.
5) forensically analyze the restored copy for deleted files.
This I do not know how to do outside of norton unerase, you will need a
product
Can I use your directions to accomplish that?
My directions will allow you to copy a drive and move that image off site
for analysis.
--Druid
On 9/12/05 1:29 AM, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote:
Purchase? no. You can dd the drive and use a utility to recognize files
within the unallocated space, I just had to do this a couple nights ago
so:
(on system you want to copy)
dd if=/dev/hda | nc otherhost 5000
(on your lappy or whatever)
nc -l -p 5000 | dd of=./blah
I was copying from one partition on an old disk to an unpartitioned space
on another disk in another machine, there are a bunch of ways of doing
this but that is a quick and dirty way of copying the readable data on a
drive to another location. You are on your own as far as finding deleted
files, but there are programs available. BTW you can mount that file like
a drive! Read the dd man page and remember "-" == stdin/stdout. I hope
this was useful, I just remembered you asked for a commercial solution for
this implying a lack of linux foo so if this is totally greek I appologize.
BTW: nc == netcat, and you can use a similar trick with tar if you have no
need to find deleted files later. Useful for the sys admins out there, OR
use with ssh for a cheap and dirty crypted file transfer solution (but why
not just use scp..)
--druid
P.S. I am only sharing this because I just had to use this trick (and
failed with the dd btw but thats another issue entirely) and it is pretty
handy for moving data around using a boot cd and a NIC.
Message: 11
Date: Sun, 11 Sep 2005 18:33:43 -0400
From: Red Leg <[EMAIL PROTECTED]>
Subject: [Full-disclosure] Forensic help?
To: <[email protected]>
Message-ID: <[EMAIL PROTECTED]>
Content-Type: text/plain; charset="US-ASCII"
Hi all.
I was wondering if anyone knows of a program/system that I can purchase, as
a private individual, that will allow me to
1) mirror a hard drive on location and
2) take that mirror and restore it to another drive. And
3) Find any CONVENTIONALLY erased files?
-- This would be either a Windows NTFS or FAT32 drive.
Anyone have first hand experience? Please let me know, if you do. In ANY
case, please suggest whatever you might have learned even without first hand
experience.
Thanks!
Redleg18
------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
End of Full-Disclosure Digest, Vol 7, Issue 25
**********************************************
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
