As this group is a good example of practicing forensics, I'm wondering if any of you have a preference for imaging devices. I've found that imaging a drive...
Ronald L. Chichester
ron@...
Jun 6, 2006 7:32 pm
2097
... Well, at my current job, the Standard Operating Procedure is to: 1. extract the source drive 2. put it in a drive carrier (Like an IDE "cold swap" tray) 3....
I missed this earlier, but in re-reading some of the list messages I noticed it and couldn't resist responding. Your assumption that there is "essentially no...
... Sorry to be unclear. My "appliance" was just a PC with Linux and a custom script. :) It worked great! ... Good point. I've got a Canon 20D which has a...
Hi Ronald, ... Personally, I like firewire. Here are a few random comments... Firewire 1394b (800mb/s) is quick and stable for long/big data transfers (like...
nikkel@...
Jun 7, 2006 3:49 pm
2102
... After not getting a new iMac opened, I was told about holding down the T key on the keyboard while booting to get into this target disk mode. Very cool. I...
Thanks, Bruce. That is exactly what I needed. Best wishes, Ron...
Ronald L. Chichester
ron@...
Jun 7, 2006 5:51 pm
2104
I'm giving a presentation on metadata to the Computer & Technology Section of the Texas Bar. I wanted to include a "demo" of viewing metadata, particularly...
Ronald L. Chichester
ron@...
Jun 9, 2006 4:52 pm
2105
Hi Ron, Interesting question, I'm looking around myself for a similar application. For what I know, you could use fccu-docprop ...
Emat
forensics@...
Jun 9, 2006 6:11 pm
2106
It's not exactly that but Hachoir seems good, and it has a section about metadata. http://hachoir.python-hosting.com/ "Hachoir is a library written in Python...
Manu
linux_forensics.yahoo...
Jun 9, 2006 6:32 pm
2107
The purpose of this document is to outline my current Penguin Sleuth Project, establish goals, and release new Penguin Sleuth Project to the general public as...
If your keen on a bit of perl programing, take a look at these: http://cpan.mirrors.ilisys.com.au/authors/id/H/HC/HCARVEY/ ...
Adam Daniel
adamd@...
Jun 13, 2006 12:31 am
2109
Hi list, I'm running some tests on an image with foremost and dd and I bumped upon this which I can't really explain: #istat floppy1.001 22 Directory Entry: 22...
forensics@...
Jun 13, 2006 1:07 pm
2110
foremost works by ignoring the file system, so it must use the file header to find the end of the file (the header must say the file size). istat uses the file...
... Would the cluster size have any impact on this? I'm assuming a floppy has 1 sector per cluster so it shouldn't matter. Is perhaps foremost recovering ...
Hi All
I am a bit stuck on this one so any info/advice appreciated !
I am trying to image an "Iqon" laptop that contains a single western Digital ide hdd,...
Stuart, do you specify the port to which you want to connect? You commandline should be something like: /root# dd if=/dev/sda bs=512 | nc -w 3 <ip of Gentoo...
Geert VAN ACKER
geert.vanacker@...
Jun 19, 2006 2:12 pm
2114
Try this: dd if=/dev/sda bs=512 | nc <ip of Gentoo box> 7000 or even better, dd if=/dev/sda bs=512 conv=noerror,sync | nc <ip of Gentoo box> 7000 Atila...
Geert VAN ACKER wrote:
> Stuart,
>
> do you specify the port to which you want to connect? You commandline > should be something like:
>
> /root# dd...
I agree with Geert, but would add the following parms; Set the bs= to a larger value so it is more efficient (and hopefully faster), and -n to netcat to...
... Or gzip first and gunzip after the transfer if you want to reduce the network traffic. If you want to see the progress, add pipebench or pv to view...
Geert VAN ACKER
geert.vanacker@...
Jun 19, 2006 4:51 pm
2118
Stuart -- Have you considered that the hard drive itself has gone belly up? If you've got a failed hardware device, no amount of finessing is going to bring...
Steve Fowler
sfowler@...
Jun 19, 2006 8:35 pm
2119
If you have a failing drive you can try putting it in a brown paper bag and into the freezer for a while. Then take it out and try imaging it right away. In...
Although it can sometimes work, I don't recommend the freezer idea. I've recovered more than 10,000 drives & while I have known the freezer trick to work for...
the problem with stiction is that there are many causes, most of which are customers or computer builders not properly cooling the hard drives. but the suggest...
Hi All
Thanks for the suggestions re this, some useful commands for me to use in the future and I now have a good image.
The problem was never physical with...
To all- Agile Risk Management is committed to advancing information security concepts, technology, and techniques. As such, we have developed Nigilant32, a...
Having problems with message search?
Fill out this form to ensure your group is one of the first to be migrated to the new message search system.
