Results 1 to 5 of 5

Thread: using knoppix for forensic (serious question)

  1. #1
    Junior Member
    Join Date
    Apr 2003
    Location
    Texas
    Posts
    1

    using knoppix for forensic (serious question)

    Hello;

    Any assistance will be appreciated.

    I have knoppix running from a cd. I'd like to image a IDE hd. I have 2 hds in the system. the one I want to image and a blank one. I'm a bit familiar with the dd utility to image a drive but I need a little hand holding.

    If the drive is say a 40 gig hd and i know that only about 6 gigs are used can I image the drive to a blank hd of 10 gig? If so what are the step - commands etc.

    will the dd tool also image deleted files and slack space?

    Once I've created an image using the dd tool on the target drive I want to perform some tests (i.e. like recover deleted files - I have a tool to do this and intent to use Win2K with this tool against the imaged drive.) What do I have to do to make or unimage the hd or can I just perform the dd image from one drive to another?

    I'm getting a bit lost now. But if there is a good url with this information (step by step) I'd be most appreciative. Otherwise someone with a bit of patience would help.

    Thanks

  2. #2
    Senior Member registered user
    Join Date
    Mar 2003
    Location
    colorado springs, colorado
    Posts
    1,933
    If you're using Knoppix 3.2 then there is a tool called 'partimage' already included. You can find it here: Kmenu>System>partimage

    This might be useful for what you wish to accomplish. It can image a drive but will not make an exact mirror, it only copys actual data. Here is the partimage web site:
    http://www.partimage.org/

  3. #3
    Member registered user
    Join Date
    Feb 2003
    Posts
    84
    This is a good page for learning about forensics in Unix:
    http://www.crazytrain.com/papers.html
    At the bottom of the page is an article about using dd.

  4. #4
    Senior Member registered user
    Join Date
    Mar 2003
    Location
    colorado springs, colorado
    Posts
    1,933
    Interesting forensics site:
    http://www.atstake.com/research/tools/task/

  5. #5
    Junior Member
    Join Date
    Mar 2003
    Posts
    9
    I don't think partimage is a good idea for forensics because it understands ext2 and other file systems and I believe it only backs up the data and not the empty space.

    You're probably better off with dd, and piping that across the network if you must (but to a local hard drive would be better).

    Make sure you boot with the "noswap" option, otherwise, Knoppix could try to use a swap partition it finds on the hard drive that you are responsible for protecting.

Similar Threads

  1. Question about using knoppix
    By Shopro in forum General Support
    Replies: 2
    Last Post: 05-12-2004, 09:12 PM
  2. a knoppix cd-rw question....plz help.
    By boris90210 in forum Tips and Tricks
    Replies: 1
    Last Post: 02-20-2004, 08:50 AM
  3. knoppix.sh question
    By redss in forum Customising & Remastering
    Replies: 3
    Last Post: 01-07-2004, 06:42 AM
  4. Grub settings, quick question... really my last question :p
    By mark1221 in forum Hdd Install / Debian / Apt
    Replies: 2
    Last Post: 11-01-2003, 10:32 PM
  5. Hacking & Forensic Software for Troubleshooting
    By reecegeorge in forum Customising & Remastering
    Replies: 0
    Last Post: 10-30-2003, 10:50 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


Cisco C1111-8PLTELA ISR 1100 8-Port Integrated Dual GE C1111-8PLTE C1111-8p picture

Cisco C1111-8PLTELA ISR 1100 8-Port Integrated Dual GE C1111-8PLTE C1111-8p

$199.00



Cisco Nexus N9K-C9372TX 48P 10G Gigabit Ethernet 6x QSFP+ 40G Switch 2x650W PSU picture

Cisco Nexus N9K-C9372TX 48P 10G Gigabit Ethernet 6x QSFP+ 40G Switch 2x650W PSU

$189.99



Cisco WS-C3850-24XU-L Catalyst 24 100Mbps/1/2.5/5/10 Gbps UPOE Ethernet Switch picture

Cisco WS-C3850-24XU-L Catalyst 24 100Mbps/1/2.5/5/10 Gbps UPOE Ethernet Switch

$209.99



Cisco CBS350-24P-4G-NA 24 Ports Rack Mountable Ethernet Switch picture

Cisco CBS350-24P-4G-NA 24 Ports Rack Mountable Ethernet Switch

$399.00



🔥🔥🔥Genuine Cisco SFP-10G-SR V03 10GBASE-SR SFP+ Transceiver 10-2415-03 🔥🔥🔥 picture

🔥🔥🔥Genuine Cisco SFP-10G-SR V03 10GBASE-SR SFP+ Transceiver 10-2415-03 🔥🔥🔥

$8.00



Cisco 2960S PoE+ WS-C2960S-48LPS-L Gigabit Ethernet Network Switch w/ Ears picture

Cisco 2960S PoE+ WS-C2960S-48LPS-L Gigabit Ethernet Network Switch w/ Ears

$50.39



Cisco C3850-NM-2-10G Catalyst 3850 2 x 10GE Network Module picture

Cisco C3850-NM-2-10G Catalyst 3850 2 x 10GE Network Module

$28.00



Cisco ASA 5506-X V07  8-Port Network Security Firewall Appliance + AC Adapter picture

Cisco ASA 5506-X V07 8-Port Network Security Firewall Appliance + AC Adapter

$67.77



New | CISCO NEXUS N2K-C2348UPQ-10GE V02 48-PORTS 10Gb SFP DUAL N2200-PAC-400W picture

New | CISCO NEXUS N2K-C2348UPQ-10GE V02 48-PORTS 10Gb SFP DUAL N2200-PAC-400W

$129.99



CISCO MERAKI MS120-24P-HW 24-PORT GIGABIT CLOUD MANAGED PoE SWITCH - UNCLAIMED picture

CISCO MERAKI MS120-24P-HW 24-PORT GIGABIT CLOUD MANAGED PoE SWITCH - UNCLAIMED

$88.94