Have you looked for obvious clues like the .bash_history file or other shell history files? Or, if you have a specific alternate location that you suspect,...
Michael Snyder
msnyder@...
Jul 12, 2007 9:52 pm
2558
Please excuse my complete ignorance. I am doing research for my boss on this issue and am essentially the middle man here. Where will he find the .bash and...
... He might be better off with a different middle-man then since this is pretty basic shell stuff. as far as your original question, there will be no...
... ever! no, but sometimes you can see it in the logs... also in /swap sometimes if your lucky as for when, usually that gets lost fairly quickly Richard...
Looking at the log files you might be able to determine there was a USB device inserted, or that an 'sd' device was mounted. Realistically, if you're asking...
All, I've been given a tape that I know nothing about (Tape Drive, logical format, etc). What tool(s) would you recommend for tape drive recovery and analysis?...
... I think I'd pop the tape in the drive, and use dd to create a disk image of the tape. Let's face it, reading from tapes is slow and annoying. :) Then,...
... tar would be more traditional for grabbing info from tape, but not sure where you stand forensically in terms of having a hash of the media afterwards. A...
Hi James, Since I've never on tapes and DD, I can't say for sure what you get, but you can MD5 the individual files that you take off the tape with tar. -Enda....
... Enda, I've had difficulty getting Irix to read a DDS tape created under Linux with tar. And, that's just getting different versions of tar to read one...
Just wanted to add two quick points to this very worthwhile discussion: 1. _Please_ be sure the write-protect tab is in the "locked" position before you put...
While we're in the mode of quick points, and to further add an exclamation point to Stevens' comment that "tape sucks", there is a distinct possibility that a...
Steve Fowler
sfowler@...
Jul 18, 2007 8:40 pm
2570
That crossed my mind, too, Steve. dd is great for imaging disks, but I think you could be stymied asking it to "image" a tape, for just the reason you...
... I put multiple images on tapes for backups all the time i.e tar cjvf - somedir | dd of=/dev/nrmt0 bs=100k tar cjvf - someotherdir | dd of=/dev/nrmt0...
Thanks for pointing out my error, Brendan -- mental rust accumulation is hard for me to avoid when it comes to tapes! The error was using "EOF" when the...
Steve Fowler
sfowler@...
Jul 19, 2007 12:02 am
2574
... I tend to use EOT for end of tape because believe it or not I would first think of EOD as end of deck. But End-of-data EOD or End-of-tape EOT are clear...
There is an updated version of that same paper here: http://digitalforensics.ch/nikkel05.pdf Kind Regards, Bruce...
nikkel@...
Jul 19, 2007 6:51 am
2576
Thank you all for the responses, they were quite informative. This was my first experience trying to recover from tapes at all. I learned a lot. In the end,...
Ladies and Gents, Apologies for the cross post. A new version of the Law Enforcement and Forensic Examiner's Introduction to Linux, A Beginner's Guide is now...
Has anyone filled up a foremost conf file with signatures for carving that they would be willing to share? -- Ave caesar! Morituri te salutamus [Non-text...
... I'd be interested in that as well. Someone recently mentioned to me that on a particular image file that Foremost carved out 80 some images whereas EnCase...
Michael, sorry i don't have Foremost conf's any longer but maybe i could point you at Photorec from cgsecurity.org It's name belies how much it can carve, not...
kern
kern.uk@...
Oct 31, 2007 6:53 am
2583
Thanks Kern. I've bookmarked it and forwarded it to some of my peers. I'd like to see a head to head test between EnCase, FTK, foremost, scalpel, and photorec...
Jacques Photorecs are built in thankfully, and added to by the author and helpers on a semi regular basis. To add confs for yourself, you may have to tinker...
kern
kern.uk@...
Oct 31, 2007 4:27 pm
2585
... Thanks Kern. I'll check out their mailing list. Jacques...
Having problems with message search?
Fill out this form to ensure your group is one of the first to be migrated to the new message search system.
