... I can't stress this enough, often you get what you pay for in life. The lure of a free application now may lead to ultimate frustration in two years time...
Hi Jacques, Please see my comments in-line. ... It actually doesn't begin with me :) Check back on 13 March 2008, where Cliff posts his experience that Helix ...
I need to image an IBM AIX server. The server is removed from service and is in my office. It has a pair of mirrored OS drives and a 6 disk RAID5 array. ...
You pretty much hit the nail on the head there. It's not easy no matter which route you take, but your own suggestion there is the lesser of all evils. ... ...
I assume you've discovered it's built around Motorola chips and in many ways resembles architecture of a MAC with a *nix like JFS. It's been a couple of years...
I haven't found a boot cd that doesn't increment the md5 sum, mouting read-only or not. Even though some claim not to, putting them to the test reveals that...
So, at the risk of steering the thread away from the flame-war, I'd like to pose an honest technical question... Where would one go looking to make a change...
... THE FARMER'S BOOT CD does _not_ increment the journal count when mounting Reiser file systems read only. This has been tested and validated by myself and a...
Based on the recent thread of Helix and possibly incrementing the journal count or making some other change on Reiser file systems when mounting them read only...
... Snip... ... Can you be more specific about the forensic boot disks that don't work? I am religious about validation, and there are a number of "forensic ...
Farmerdude, I don't use the farmer's boot cd. I'll compile a llist of cd's I've tried and send it to you. It's not that big a deal. We're not aiming for a...
Rich, I know, I don't have you as a registered user :) But definitely, a list of CDs that advertise they don't but do in your testing would be appreciated,...
Greetings, I'm with Rich - I use a write-blocker and simply ignore this set of problems. Plus it is a visual reminder that I'm operating "safely", which is...
Sure, write blockers prevent damage if they are working correctly, but I don't think thats the point at all, and its not about having a flame war, its about...
Owen O' Shaughnessy
owen.oshaughnessy@...
Jun 7, 2008 8:56 am
2877
... Agreed. However when in a corporate setting where you have 20 computers to acquire in a given amount of time, necessity may require an examiner to put a...
To my chagrin, most of the cd's I have tried are no longer out there, including Darren's Boot CD, TaFusion's Forensic version of MEPIS, and others. The only...
Ok let me put an end to this silliness. First of all let me start by saying that Farmerdude, Cliff and others are correct the downloadable version of Helix...
Sure, Here is a patch for the linux 2.6 kernel. I have one for 2.4 as well. This patch makes reiserfs avoid journal header updates when a filesystem is...
Drew, Thanks for posting the patch! I figured it was the patch written by Vladimir but wanted to make certain. farmerdude http://www.forensicbootcd.com ...
Ahh yes, memorable indeed! For the history buffs in the group, here's specifics on a thread that continued on even well beyond the first week captured by my...
Steve Fowler
sfowler@...
Jun 9, 2008 8:06 pm
2885
I use Sleuthkit's dls command: $ ./dls /cygdrive/c/temp/myimage.E01 | pipebench | gzip --fast > /cy gdrive/c/temp/myimage-unalloc.gz I can investigate the...
... Are you looking for text in the 'dls' output? 'dls' outputs raw blocks of data. If you only want text, then you should pipe the output through 'strings'....
Thanks, I think I understand now. First: ./dls /cygdrive/c/temp/myimage.E01 > /cygdrive/c/temp/output.dls followed by: strings -t d /cygdrive/c/temp/output.dls...
Brian, one question (I think it's not necessary TSK related but) does 'strings' also convert unicode ? I have read some information about sstrings but this...
Depending on your platform and version of strings the -e option typically lets you specify the encoding. Take a look at a strings man page. Here's one: ...
... sstrings is now called srch_strings (in an attempt to make some of the tool names more clear). It is just a version of the GNU strings from binutils so...
Having problems with message search?
Fill out this form to ensure your group is one of the first to be migrated to the new message search system.
