Mailing List Archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] Beware e2labels and Knoppix swap

Jim "jep200404" wrote:
> When you stick the corrupted drive in another machine for 
> forensic analysis, beware of e2label causing the wrong 
> partitions to be mounted upon booting. 
> ...
> Knoppix is a bit safer to work with. Be sure to specify noswap 
> when booting to ensure that no crumbs of info in the swap 
> partition are obliterated. 

Right, you never want to write to the corrupted drive or you might 
destroy the "evidence".  Ideally you would use a hardware write-
blocker, such as FastBloc [1].

The other rules I follow are:
1) Always make a copy of the original drive;
2) Lock the original away for safe-keeping; and
3) Do the analysis on the copy.

What forensic tools/software are you using, Scott?

I once used The Coroners Toolkit [2] to analyze an ext2 file system. 
(IIRC I had to hack one of the config or header files to enable large 
file lseek support on my 64-bit system.)  The MACtime utility was 
quite helpful.

I hear The Sleuth Kit [3] is an updated version, but I haven't tried 
it yet.


#include <disclaimer.h>


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links