You can try two things! 1: Open ur terminal /dos and netstat -a -n this will give you the active/establishd connections list with the local ip address and the...
1815
john_a_antoniou
Nov 11, 2005 7:51 am
As a part of my research project in Computer Forensics, I have to develop a program to read the whole hard disk (under linux environment). I think c...
1816
Christophe Monniez
d_fence_242
Nov 11, 2005 11:02 am
... Why do you to limit your soft to the hard disks ? Isn't it better to read the standard input so you can read what ever you want like that : # cat /dev/hda...
1817
Gary Funck
garyfunck
Nov 11, 2005 8:10 pm
... Google is your friend: http://ext2read.sourceforge.net/hdisk.htm You can read from a hard drive directly (such as /dev/hda), only if you are *root*....
1818
Ryan B. Lynch
rlynch@...
Nov 12, 2005 4:58 am
A minor correction... ... Any user can read from a hard drive directly, not just the root user. The device nodes for disk devices (/dev/hd*, dev/sd*, etc.) are...
1819
Gary Funck
garyfunck
Nov 12, 2005 6:05 am
... Good point. I was speaking to the most likely configuration that new user would run into. [...] ... Elegant idea. Thanks - Gary...
1820
anuj
iexist_iexist
Nov 12, 2005 1:34 pm
Hello friends! This can be a lengthy and complicated thread but I found it very essential... After installing linux what security measures/steps one should...
1821
Gary Funck
garyfunck
Nov 12, 2005 6:24 pm
FYI. ... From: Simson Garfinkel Sent: Saturday, November 12, 2005 4:07 AM To: aff-info@... Subject: [Aff-info] AFF Paper Greetings. The AFF paper...
1822
Secure Hell
securehell
Dec 5, 2005 5:31 pm
Hello group, I have a hard drive that I need to examine using linux and I want to mount it so that it does not boot but so that I can manually mount it...
1823
Jacques B.
jboucher_work
Dec 5, 2005 6:13 pm
You will want to pin your drives master (your boot/forensic drive) and slave (your suspect drive). But before that you want to make sure your Linux distro...
1824
Michele Vetturi
mvetturi
Dec 5, 2005 6:19 pm
And I suggest you to use any IDE writelock....
1825
Ryan B. Lynch
rlynch@...
Dec 6, 2005 7:52 am
Hello guy, ... In determining whether the drive will be automounted, it doesn't really matter whether the hard drive is attached to the workstation as a ...
1826
Jelle Smet
jelle.smet@...
Dec 6, 2005 1:30 pm
Hi all, I have found tons of information about mounting a dd image of a diskpartition to the loopback device. This works out with no problem. But how can I...
1827
Barry J. Grundy
grundy_b
Dec 6, 2005 1:51 pm
... 1) Pass an offset to the mount command (offset=number of bytes) to the start of the partition: mount -t vfat -o ro,loop,offset=xxxxxx image.dd...
1828
Secure Hell
securehell
Dec 6, 2005 2:44 pm
... Hello ... Well, the issue has to do with the hardware choosing which drive to boot from so what I am talking about is prior to the Linux OS booting and...
1829
The Dog's Bollix
ISXPRO
Dec 6, 2005 2:52 pm
http://sleuthkit.org/informer/sleuthkit-informer-2.html#split http://sleuthkit.org/informer/sleuthkit-informer-12.html#mmls Tony Jelle Smet...
1830
Gary Funck
garyfunck
Dec 6, 2005 4:03 pm
... In general, it's best to first make a disk image copy of the drive to be analyszed, checksum it, and keep it in a safe place. Then, copy that to a scratch...
1831
Ryan B. Lynch
rlynch@...
Dec 6, 2005 4:13 pm
... Sorry if that was a little TMI, I wasn't sure from your original question what the exact problem was--you need to know how to set up the IDE stuff, right? ...
1832
securehell
Dec 6, 2005 7:17 pm
Thank you. This has been very helpful. I need to check the BIOS settings to see if the new drive shows up there and to ensure that it is not in the boot list...
1833
IanC
devorg
Dec 7, 2005 1:05 am
On Behalf Of Ryan B. Lynch ... Similar but not knoppix is that I use Win XP on one system here which is bare bones I built 2 years ago with Intl P4 M/Board 2.8...
1834
Gary Funck
garyfunck
Dec 7, 2005 4:14 am
This doesn't relate to anything I'm working on at the moment, but was just wondering if anyone has considered if there are ways to detect after the fact use of...
1835
Gary Funck
garyfunck
Dec 7, 2005 4:28 am
... [...] ... Ian, my guess is that you've tried all/some of these ideas, but here's a couple to consider: - is either the master or secondary jumpered as...
1836
IanC
devorg
Dec 7, 2005 4:38 am
... Actually,, yes it does. Why does it do that?...
1837
Gary Funck
garyfunck
Dec 7, 2005 7:23 am
... I _think_ what is going on here, is the drives are struggling over which one is master, using the particular explicit jumper settings that you have set up....
1838
The Dog's Bollix
ISXPRO
Dec 7, 2005 1:46 pm
I've had similar problems with Maxtor in the past, and I use Maxtor drives exclusively for all work/cases/evidence, etc, but I found my grief was minimised...
1839
Jacques B.
jboucher_work
Dec 7, 2005 2:53 pm
Free space all 00's is a big possible indicator. File slack is an equally, if not bigger, indicator of a wiping tool. File slack with older content is pretty...
1840
Gary Funck
garyfunck
Dec 7, 2005 3:18 pm
... points ... Good idea. How does one determine the contents of a restore point? Is there a tool that displays the restore point info.?...
1841
The Dog's Bollix
ISXPRO
Dec 7, 2005 3:38 pm
You could also check MRU's and programs set to start at boot. I've had two cases where evidence eliminator was set to "wipe" the drive/evidence. It's not only...
1842
Jacques B.
jboucher_work
Dec 7, 2005 3:59 pm
One of our guys spent some time sifting through a restore point. It stores backup of registry keys (and other info I believe but don't know for certain) which...
1843
Matthew Geiger
wipezone
Dec 7, 2005 5:56 pm
Hi Gary, In addition to my research in this area, I know others are concentrating on identifying the installation artifacts (Registry keys, DLLs, etc) from...
