Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] Beware e2labels and Knoppix swap
- Date: Fri, 10 Mar 2006 19:25:41 +0900
- From: "Jim BLACKSON" <blackson@example.com>
- Subject: Re: [tlug] Beware e2labels and Knoppix swap
Jim "jep200404" wrote: > When you stick the corrupted drive in another machine for > forensic analysis, beware of e2label causing the wrong > partitions to be mounted upon booting. > ... > Knoppix is a bit safer to work with. Be sure to specify noswap > when booting to ensure that no crumbs of info in the swap > partition are obliterated. Right, you never want to write to the corrupted drive or you might destroy the "evidence". Ideally you would use a hardware write- blocker, such as FastBloc [1]. The other rules I follow are: 1) Always make a copy of the original drive; 2) Lock the original away for safe-keeping; and 3) Do the analysis on the copy. What forensic tools/software are you using, Scott? I once used The Coroners Toolkit [2] to analyze an ext2 file system. (IIRC I had to hack one of the config or header files to enable large file lseek support on my 64-bit system.) The MACtime utility was quite helpful. I hear The Sleuth Kit [3] is an updated version, but I haven't tried it yet. HTH, jimb. #include <disclaimer.h> [1] http://www.encase.co.za/solutions/accessories/index.shtm [2] http://www.porcupine.org/forensics/tct.html [3] http://www.sleuthkit.org/
- Prev by Date: Re: [tlug] hello from a new / old member
- Next by Date: Re: [tlug] LC_CTYPE
- Previous by thread: [tlug] Kororaa project
- Next by thread: [tlug] Kterm
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |