... I can't stress this enough, often you get what you pay for in life. The lure of a free application now may lead to ultimate frustration in two years time...
2863
farmerdude
farmerduderl
Jun 4, 2008 1:34 am
Hi Jacques, Please see my comments in-line. ... It actually doesn't begin with me :) Check back on 13 March 2008, where Cliff posts his experience that Helix ...
2864
Jacques B.
jboucher_work
Jun 4, 2008 4:27 pm
... <snip> ... Totally agree. We are on the same page on all counts. Jacques B....
2865
Doug Rehman
rehman32801
Jun 5, 2008 3:35 pm
I need to image an IBM AIX server. The server is removed from service and is in my office. It has a pair of mirrored OS drives and a 6 disk RAID5 array. ...
2866
Rich Price
kernel_smash
Jun 5, 2008 4:10 pm
You pretty much hit the nail on the head there. It's not easy no matter which route you take, but your own suggestion there is the lesser of all evils. ... ...
2867
C. David Sterne
simply_persi...
Jun 6, 2008 2:21 pm
I assume you've discovered it's built around Motorola chips and in many ways resembles architecture of a MAC with a *nix like JFS. It's been a couple of years...
2868
Rich
kernel_smash
Jun 6, 2008 3:18 pm
I haven't found a boot cd that doesn't increment the md5 sum, mouting read-only or not. Even though some claim not to, putting them to the test reveals that...
2869
Steve Gibson
sw_gibson
Jun 6, 2008 5:10 pm
So, at the risk of steering the thread away from the flame-war, I'd like to pose an honest technical question... Where would one go looking to make a change...
2870
farmerdude
farmerduderl
Jun 6, 2008 7:46 pm
... THE FARMER'S BOOT CD does _not_ increment the journal count when mounting Reiser file systems read only. This has been tested and validated by myself and a...
2871
farmerdude
farmerduderl
Jun 6, 2008 7:53 pm
Based on the recent thread of Helix and possibly incrementing the journal count or making some other change on Reiser file systems when mounting them read only...
2872
Grundy, Barry J. (HQ-...
grundy_b
Jun 7, 2008 12:08 am
... Snip... ... Can you be more specific about the forensic boot disks that don't work? I am religious about validation, and there are a number of "forensic ...
2873
Rich
kernel_smash
Jun 7, 2008 12:32 am
Farmerdude, I don't use the farmer's boot cd. I'll compile a llist of cd's I've tried and send it to you. It's not that big a deal. We're not aiming for a...
2874
farmerdude
farmerduderl
Jun 7, 2008 12:35 am
Rich, I know, I don't have you as a registered user :) But definitely, a list of CDs that advertise they don't but do in your testing would be appreciated,...
2875
David Kovar
dkovar
Jun 7, 2008 8:19 am
Greetings, I'm with Rich - I use a write-blocker and simply ignore this set of problems. Plus it is a visual reminder that I'm operating "safely", which is...
2876
Owen O' Shaughnessy
owen.oshaughnessy@...
Jun 7, 2008 8:56 am
Sure, write blockers prevent damage if they are working correctly, but I don't think thats the point at all, and its not about having a flame war, its about...
2877
Jacques B.
jboucher_work
Jun 7, 2008 10:04 am
... Agreed. However when in a corporate setting where you have 20 computers to acquire in a given amount of time, necessity may require an examiner to put a...
2878
Rich
kernel_smash
Jun 7, 2008 3:19 pm
To my chagrin, most of the cd's I have tried are no longer out there, including Darren's Boot CD, TaFusion's Forensic version of MEPIS, and others. The only...
2879
Drew Fahey
zippo_p38
Jun 7, 2008 10:01 pm
Ok let me put an end to this silliness. First of all let me start by saying that Farmerdude, Cliff and others are correct the downloadable version of Helix...
2880
Owen O' Shaughnessy
owen.oshaughnessy@...
Jun 8, 2008 9:30 am
Thank you very much Drew, your openess, effort and commitment are much appreciated. Regards, Owen....
2881
farmerdude
farmerduderl
Jun 8, 2008 12:27 pm
Drew, Thanks for replying and updating us. Can you post the patch to the group or e-mail it privately to me if not? Regards, farmerdude...
2882
Andrew Fahey
zippo_p38
Jun 9, 2008 3:13 pm
Sure, Here is a patch for the linux 2.6 kernel. I have one for 2.4 as well. This patch makes reiserfs avoid journal header updates when a filesystem is...
2883
farmerdude
farmerduderl
Jun 9, 2008 3:56 pm
Drew, Thanks for posting the patch! I figured it was the patch written by Vladimir but wanted to make certain. farmerdude http://www.forensicbootcd.com ...
2884
Steve Fowler
sfowler@...
Jun 9, 2008 8:06 pm
Ahh yes, memorable indeed! For the history buffs in the group, here's specifics on a thread that continued on even well beyond the first week captured by my...
2885
Mark
stamblogs
Jun 11, 2008 3:01 pm
I use Sleuthkit's dls command: $ ./dls /cygdrive/c/temp/myimage.E01 | pipebench | gzip --fast > /cy gdrive/c/temp/myimage-unalloc.gz I can investigate the...
2886
Brian Carrier
bdcarrier
Jun 11, 2008 3:32 pm
... Are you looking for text in the 'dls' output? 'dls' outputs raw blocks of data. If you only want text, then you should pipe the output through 'strings'....
2887
Mark
stamblogs
Jun 11, 2008 4:46 pm
Thanks, I think I understand now. First: ./dls /cygdrive/c/temp/myimage.E01 > /cygdrive/c/temp/output.dls followed by: strings -t d /cygdrive/c/temp/output.dls...
2888
Mark
stamblogs
Jun 11, 2008 10:46 pm
Brian, one question (I think it's not necessary TSK related but) does 'strings' also convert unicode ? I have read some information about sstrings but this...
Depending on your platform and version of strings the -e option typically lets you specify the encoding. Take a look at a strings man page. Here's one: ...
2891
Brian Carrier
bdcarrier
Jun 12, 2008 2:54 am
... sstrings is now called srch_strings (in an attempt to make some of the tool names more clear). It is just a version of the GNU strings from binutils so...
