LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-11-2008, 04:54 PM   #16
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533

Quote:
Originally Posted by jschiwal View Post
Pen testers will use a special IDE cable, connecting it from their computer to the hard drive being examined. This cable will not allow any writes. They will then clone the entire drive and only work with the image. I don't know if a similar cable exists for sata disks. You might try investigating on the net. Maybe a jumper combination will disable writing to the drive.
I believe the terms you're looking for are "forensic investigator", not "penetration tester", and "write blocker". I've used hardware write blockers like Tableau's Ultrablocker (IDE, SCSI, SATA, USB) and Digital Intelligence's Firefly (IDE, Firewire, SATA). The advantage of GNU/Linux Live CD's like HELIX is that they won't tamper (automount) drives which you can check and reproduce yourself.


Quote:
Originally Posted by jschiwal View Post
I read of one case where someone forgot to seal the signed (or stamped) manilla envelopes and the drives fell out, ruining the value of the drives as evidence in court.
Nobody I know could have used anything like envelopes to transport acquired material like that but rugged hard cases like Pelican's.

Last edited by unSpawn; 12-11-2008 at 06:07 PM. Reason: s|licat|roduc|
 
Old 12-11-2008, 05:05 PM   #17
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 670Reputation: 670Reputation: 670Reputation: 670Reputation: 670Reputation: 670
Well, I read this in the Security Monkey blog. I suppose that he wears two hats. Pen Tester and Forensic Investigator. His "Roscoe" computer has an ide cable that he uses to clone IDE drives with.

I think it was the kind of envelope that is around 10 x 12 inches. I've seen manila envelopes that could easily contain a large drive or a small motherboard. Such as the ones that have a string in front that you wrap around a button.

You might not believe me, but I did forget to post an update before rushing off. I did find a device on the net for Sata, eSata, usb and drives, using the term write blocker. I think for IDE drives, you may not need an active device, but a simply a cable.

Thanks for the clarifications anyway.
 
Old 12-12-2008, 12:06 PM   #18
kelly1369
LQ Newbie
 
Registered: Dec 2008
Location: Martinez Georgia
Distribution: Linux Mint/Fedora/Solaris 10/Ubunto
Posts: 8

Original Poster
Rep: Reputation: 1
I've had good experiences with Helix keeping the drives write blocked. In a couple cases of using Helix 2008 R1, the write blocker was next to impossible to disable so I trust it. If I was looking at the system with a windows based OS I'd be more concerned with having a hardware guard that would protect the drive under scrutiny. It seems that the computer has had the factory rebuild disk ran against it. First look shows no user data of any kind other than the administrator, no user accounts, no email activity. about 2 dozen cookies of no real interest, and a common date theme running through most files. It is file carving time.
 
Old 12-12-2008, 02:03 PM   #19
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533
Quote:
Originally Posted by kelly1369 View Post
It is file carving time.
Good luck!
 
Old 12-12-2008, 02:38 PM   #20
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285
Post back and tell us if it helped in the case, and maybe which program found more stuff.
 
Old 01-20-2009, 03:50 PM   #21
kelly1369
LQ Newbie
 
Registered: Dec 2008
Location: Martinez Georgia
Distribution: Linux Mint/Fedora/Solaris 10/Ubunto
Posts: 8

Original Poster
Rep: Reputation: 1
I had very good luck with Helix running foremost. I carved about 40,000files which I turned over for investigation. Reinstalling from the manufacturers boot disk didn't obscure everything. Unfortunately the AOL files were unrecoverable. Plenty of pictures and love notes to ponder over tho. I appreciate everyone's help on this thread.
 
Old 01-20-2009, 03:57 PM   #22
H_TeXMeX_H
LQ Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285Reputation: 1285
Cool, thanks for posting back. foremost is a very good program for these kinds of forensic operations, I've used it many times and it's awesome.
 
Old 01-20-2009, 04:07 PM   #23
pentode
Member
 
Registered: Dec 2005
Location: Oregon
Distribution: Debian Testing
Posts: 488

Rep: Reputation: 38
Just make sure you get paid, regardless of what they do with the results. Lawyers can be very slow to pay.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
File modification logging utility koobi Linux - General 4 09-03-2007 02:47 AM
file utility md5sum slackamp Slackware 11 06-04-2007 09:36 PM
Utility to get ELF file information praj_linux Linux - Software 0 01-04-2005 08:30 AM
Find File broken, need search utility, where does WineX install, KDE file roller? Ohmn Mandriva 6 07-05-2004 11:34 PM
File recovery after partition table damage - XFS file system gracecourt Linux - General 2 01-13-2004 04:53 PM


All times are GMT -5. The time now is 10:55 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration