Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Pen testers will use a special IDE cable, connecting it from their computer to the hard drive being examined. This cable will not allow any writes. They will then clone the entire drive and only work with the image. I don't know if a similar cable exists for sata disks. You might try investigating on the net. Maybe a jumper combination will disable writing to the drive.
I believe the terms you're looking for are "forensic investigator", not "penetration tester", and "write blocker". I've used hardware write blockers like Tableau's Ultrablocker (IDE, SCSI, SATA, USB) and Digital Intelligence's Firefly (IDE, Firewire, SATA). The advantage of GNU/Linux Live CD's like HELIX is that they won't tamper (automount) drives which you can check and reproduce yourself.
Originally Posted by jschiwal
I read of one case where someone forgot to seal the signed (or stamped) manilla envelopes and the drives fell out, ruining the value of the drives as evidence in court.
Nobody I know could have used anything like envelopes to transport acquired material like that but rugged hard cases like Pelican's.
Last edited by unSpawn; 12-11-2008 at 06:07 PM.
Well, I read this in the Security Monkey blog. I suppose that he wears two hats. Pen Tester and Forensic Investigator. His "Roscoe" computer has an ide cable that he uses to clone IDE drives with.
I think it was the kind of envelope that is around 10 x 12 inches. I've seen manila envelopes that could easily contain a large drive or a small motherboard. Such as the ones that have a string in front that you wrap around a button.
You might not believe me, but I did forget to post an update before rushing off. I did find a device on the net for Sata, eSata, usb and drives, using the term write blocker. I think for IDE drives, you may not need an active device, but a simply a cable.
I've had good experiences with Helix keeping the drives write blocked. In a couple cases of using Helix 2008 R1, the write blocker was next to impossible to disable so I trust it. If I was looking at the system with a windows based OS I'd be more concerned with having a hardware guard that would protect the drive under scrutiny. It seems that the computer has had the factory rebuild disk ran against it. First look shows no user data of any kind other than the administrator, no user accounts, no email activity. about 2 dozen cookies of no real interest, and a common date theme running through most files. It is file carving time.
I had very good luck with Helix running foremost. I carved about 40,000files which I turned over for investigation. Reinstalling from the manufacturers boot disk didn't obscure everything. Unfortunately the AOL files were unrecoverable. Plenty of pictures and love notes to ponder over tho. I appreciate everyone's help on this thread.