On Mon, 12 Sep 2005 [EMAIL PROTECTED] wrote: > > > On Mon, 12 Sep 2005, Red Leg wrote: > >5) forensically analyze the restored copy for deleted files. > > This I do not know how to do outside of norton unerase, you will need a > product
http://linux-ntfs.sourceforge.net/ has a great set of tools like undelete for ntfs on block devices (and loopbacks?). The undelete works especially well with a little bit of shellfoo. -Eric > > > > On 9/12/05 1:29 AM, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote: > > > >> Purchase? no. You can dd the drive and use a utility to recognize files > >> within the unallocated space, I just had to do this a couple nights ago > >> so: > >> > >> (on system you want to copy) > >> dd if=/dev/hda | nc otherhost 5000 > >> > >> (on your lappy or whatever) > >> nc -l -p 5000 | dd of=./blah > >> > >> I was copying from one partition on an old disk to an unpartitioned space > >> on another disk in another machine, there are a bunch of ways of doing > >> this but that is a quick and dirty way of copying the readable data on a > >> drive to another location. You are on your own as far as finding deleted > >> files, but there are programs available. BTW you can mount that file like > >> a drive! Read the dd man page and remember "-" == stdin/stdout. I hope > >> this was useful, I just remembered you asked for a commercial solution for > >> this implying a lack of linux foo so if this is totally greek I appologize. > >> > >> BTW: nc == netcat, and you can use a similar trick with tar if you have no > >> need to find deleted files later. Useful for the sys admins out there, OR > >> use with ssh for a cheap and dirty crypted file transfer solution (but why > >> not just use scp..) > >> > >> --druid > >> > >> P.S. I am only sharing this because I just had to use this trick (and > >> failed with the dd btw but thats another issue entirely) and it is pretty > >> handy for moving data around using a boot cd and a NIC. > >> > >>> > >>> Message: 11 > >>> Date: Sun, 11 Sep 2005 18:33:43 -0400 > >>> From: Red Leg <[EMAIL PROTECTED]> > >>> Subject: [Full-disclosure] Forensic help? > >>> To: <[email protected]> > >>> Message-ID: <[EMAIL PROTECTED]> > >>> Content-Type: text/plain; charset="US-ASCII" > >>> > >>> > >>> Hi all. > >>> > >>> I was wondering if anyone knows of a program/system that I can purchase, > >>> as > >>> a private individual, that will allow me to > >>> > >>> 1) mirror a hard drive on location and > >>> > >>> 2) take that mirror and restore it to another drive. And > >>> > >>> 3) Find any CONVENTIONALLY erased files? > >>> > >>> -- This would be either a Windows NTFS or FAT32 drive. > >>> > >>> Anyone have first hand experience? Please let me know, if you do. In ANY > >>> case, please suggest whatever you might have learned even without first > >>> hand > >>> experience. > >>> > >>> Thanks! > >>> > >>> Redleg18 > >>> > >>> > >>> > >>> > >>> ------------------------------ > >>> > >>> _______________________________________________ > >>> Full-Disclosure - We believe in it. > >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >>> Hosted and sponsored by Secunia - http://secunia.com/ > >>> > >>> End of Full-Disclosure Digest, Vol 7, Issue 25 > >>> ********************************************** > >>> > >> _______________________________________________ > >> Full-Disclosure - We believe in it. > >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >> Hosted and sponsored by Secunia - http://secunia.com/ > >> > > > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > -- Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
