Harvey, I would bet the card is, or at least once was, formatted FAT16. Some things I would try if it was me: 1. Try different readers, including older ones,...
Bill Norton
bnorton@...
Aug 1, 2006 1:27 pm
2223
Hi all, ... The newer distros have HAL support compiled into KDE and Gnome desktops. This is an issue because any USB and Firewire device that gets plugged in...
maillist
maillist@...
Aug 7, 2006 10:18 pm
2224
Or you could simply use the 2.4 kernel ... ;) farmerdude...
... Excellent delving into the HAL/Linux layer. It strikes me that your testing methodology may be off. I wouldn't expect simply mounting a drive to alter the...
... I do know that there is a registry entry done when a USB device is connected to a XP box, so you can establish that the USB device was connected to that...
... I would. -- /*************************************** Special Agent Barry J. Grundy Resident Agent in Charge NASA Office of Inspector General Computer...
... While mounting does not imply changing of any files, per se, it quite likely will change meta-data (such as mount count, last access time of the root...
Really? I've never seen it happen. Lets do an experiment with my usb thumb drive on gentoo 2.6.15 # cat /proc/partitions major minor #blocks name 8 0...
... I forgot to give credit to the policy to David Zeuthen from the HAL mailing list. I figured it I needed a HAL policy to do what I needed. After a couple of...
maillist
maillist@...
Aug 8, 2006 11:45 pm
2231
... I have to side with Barry. Of course mouting read only shouldn't change it. But mounting it read/write is not proper forensic proceedure. You open a...
... http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-willis-c/bh-us-03-willis.pdf check out page 53, its a decent summary of the issue, might only ...
Harry Duncan
usr.src.linux@...
Aug 8, 2006 11:48 pm
2233
... Hmm..Barry said mounting *would* change it? And my experiment yielded the same results mounting read/write. ... No argument there..that's where this thread...
... One variable here is file system type. FAT is a pretty simple file system type, which does not have mount count, does not keep track of last access time,...
... Good point! Sounds like fodder for a paper covering the effects of mounts on differing filesystems. ... No argument and in investigations I don't mount...
... Agree completely. Which is why I don't think relying on hash changes to show non-mounts is a reliable test of disabling auto-mount. If the tests were...
... I'm sure Barry can defend himself much better than I can on this, but ... I would. ... In other words, he "would expect" that simply mounting a drive would...
... Actually the original question was simply how to stop automount. The issue of integrity of a mounted device was raised by Ron in the third posting in this...
... Sorry, Not trying to pick any fights ;-) Corrected. ... Good point! I'll skip the cfdisk part. # mkfs.ext3 /dev/sdb1 mke2fs 1.38 (30-Jun-2005) Filesystem...
I see where previous postings were taken slightly out of context by some of us (myself included). I now see the context in which Jeff made that comment. He...
... Good point, it's definitely worthwhile keeping up on 'helpful' changes in the various packages. You'd hate to see an upgrade wipe out your practices. ... ...
... Terse answer: Turn off your automounter daemon. The name and means of doing this depends on the operating system and/or distribution you are using. RTFM...
... Guilty as well! I assumed the poster was testing using usb thumb drives which are usually formatted as fat/vfat filesystems. ... Yeah I gotta say that's...
On Tue, 8 Aug 2006 20:35:30 -0400 ... One suggested solution was "use the 2.4 kernel". That *is* a thoroughly tested solution. I love the 2.6 kernel. It...
... Fair enough Dave. RTFM, Google, books, courses are all things we should be doing. But aren't these mailing lists also to learn and ask questions, even if ...
... Degenerate?? Check out the meaning of forensic, and rethink that. Perhaps the experimental / understanding stuff belongs on a LUG and not a forensic...
Harry Duncan
usr.src.linux@...
Aug 9, 2006 1:18 am
2248
... Google says: http://www.google.com/search?hl=en&lr=&q=define%3A+forensic&btnG=Search relating to the use of science or technology in the investigation and ...
On Tue, 8 Aug 2006 17:29:49 -0700 (PDT) ... bah! no fights picked here. Just trying to clarify what I meant. e-mail conversations can suck. Sometimes I hate ...
... Is it your hypothesis that bad practices are court admisable? Probably best to leave that as a rhetorical question. ... A proposed "best practice"...
Harry Duncan
usr.src.linux@...
Aug 9, 2006 2:10 am
2251
... Ha! No problem. All I'm saying is that I hate it when I post a sample command and since it's a forensics list people immediately post something about how ...
Having problems with message search?
Fill out this form to ensure your group is one of the first to be migrated to the new message search system.
