[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Forensic help?

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Forensic help?
From: Paul Schmehl <pauls@xxxxxxxxxxxx>
Date: Sun, 11 Sep 2005 19:21:05 -0500

--On September 11, 2005 6:33:43 PM -0400 Red Leg <redleg18@xxxxxxxxx> wrote:


Hi all.

I was wondering if anyone knows of a program/system that I can purchase,
as a private individual, that will allow me to

1) mirror a hard drive on location and

2) take that mirror and restore it to another drive. And

3) Find any CONVENTIONALLY erased files?

Download the knoppix std distro and burn it to a cd. Use dcfldd for drive imaging and the forensics tools for recovery of erased files and the like.

 -- This would be either a Windows NTFS or FAT32 drive.

Doesn't really matter what the OS was.  The tools work with bits, not OSes.

Anyone have first hand experience? Please let me know, if you do. In ANY
case, please suggest whatever you might have learned even without first
hand experience.

I have used those tools as well as Encase and FTK. Not sure what you mean by "might have learned".

Paul Schmehl (pauls@xxxxxxxxxxxx)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Forensic help?
  - From: Red Leg
- Re: [Full-disclosure] Forensic help?
  - From: Red Leg

References:
- [Full-disclosure] Forensic help?
  - From: Red Leg

Prev by Date: Re: [Full-disclosure] Forensic help?
Next by Date: Re: [Full-disclosure] Forensic help?
Previous by thread: Re: [Full-disclosure] Forensic help?
Next by thread: Re: [Full-disclosure] Forensic help?
Index(es):
- Date
- Thread