Hello group, I have a hard drive that I need to examine using linux and I want to mount it so that it does not boot but so that I can manually mount it...
You will want to pin your drives master (your boot/forensic drive) and slave (your suspect drive). But before that you want to make sure your Linux distro...
Hello guy, ... In determining whether the drive will be automounted, it doesn't really matter whether the hard drive is attached to the workstation as a ...
Ryan B. Lynch
rlynch@...
Dec 6, 2005 7:52 am
1826
Hi all, I have found tons of information about mounting a dd image of a diskpartition to the loopback device. This works out with no problem. But how can I...
Jelle Smet
jelle.smet@...
Dec 6, 2005 1:30 pm
1827
... 1) Pass an offset to the mount command (offset=number of bytes) to the start of the partition: mount -t vfat -o ro,loop,offset=xxxxxx image.dd...
... Hello ... Well, the issue has to do with the hardware choosing which drive to boot from so what I am talking about is prior to the Linux OS booting and...
... In general, it's best to first make a disk image copy of the drive to be analyszed, checksum it, and keep it in a safe place. Then, copy that to a scratch...
... Sorry if that was a little TMI, I wasn't sure from your original question what the exact problem was--you need to know how to set up the IDE stuff, right? ...
Ryan B. Lynch
rlynch@...
Dec 6, 2005 4:13 pm
1832
Thank you. This has been very helpful. I need to check the BIOS settings to see if the new drive shows up there and to ensure that it is not in the boot list...
On Behalf Of Ryan B. Lynch ... Similar but not knoppix is that I use Win XP on one system here which is bare bones I built 2 years ago with Intl P4 M/Board 2.8...
This doesn't relate to anything I'm working on at the moment, but was just wondering if anyone has considered if there are ways to detect after the fact use of...
... [...] ... Ian, my guess is that you've tried all/some of these ideas, but here's a couple to consider: - is either the master or secondary jumpered as...
... I _think_ what is going on here, is the drives are struggling over which one is master, using the particular explicit jumper settings that you have set up....
I've had similar problems with Maxtor in the past, and I use Maxtor drives exclusively for all work/cases/evidence, etc, but I found my grief was minimised...
Free space all 00's is a big possible indicator. File slack is an equally, if not bigger, indicator of a wiping tool. File slack with older content is pretty...
You could also check MRU's and programs set to start at boot. I've had two cases where evidence eliminator was set to "wipe" the drive/evidence. It's not only...
One of our guys spent some time sifting through a restore point. It stores backup of registry keys (and other info I believe but don't know for certain) which...
Hi Gary, In addition to my research in this area, I know others are concentrating on identifying the installation artifacts (Registry keys, DLLs, etc) from...
I have 3 disks that appear to be spanned. The first shows a file system (W2K) while the remaining 2 disks appear as unallocated space. I believe this is a...
Hi! Also, if you have an image of your complete disk you can use mmls in order to check the "composition" of that physical image, doing: $ mmls -t dos...
Hi Carol - There are a number of variables, including HOW the volume(s) is/are spanned. If it is a simple linear RAID, then SMART would allow you to specify...
Received a laptop for investigation - those in possession of it claimed it must have been a hardware failure, but the circumstances of the situation were...
I can't think of anything that would cause the entire drive to suddenly read all zero's except for someone writing all zeros to the drive. Mike Mackrill Data...
I'd suggest asking your client's approval first, but then trying a read/write test on some usually unused place, like the last sector of the first cylinder....
You could try that, however, I don't see that as being the problem. In my experience that has always been an indicator of suspicious activity. Don't get me...
Not that this will necessarily answer that question, but you could run hdtune against it (www.hdtune.com) to check the stats on the drive (# of hours in...
Having problems with message search?
Fill out this form to ensure your group is one of the first to be migrated to the new message search system.
