Results 1 to 5 of 5

Thread: using knoppix for forensic (serious question)

  1. #1
    Junior Member
    Join Date
    Apr 2003
    Location
    Texas
    Posts
    1

    using knoppix for forensic (serious question)

    Hello;

    Any assistance will be appreciated.

    I have knoppix running from a cd. I'd like to image a IDE hd. I have 2 hds in the system. the one I want to image and a blank one. I'm a bit familiar with the dd utility to image a drive but I need a little hand holding.

    If the drive is say a 40 gig hd and i know that only about 6 gigs are used can I image the drive to a blank hd of 10 gig? If so what are the step - commands etc.

    will the dd tool also image deleted files and slack space?

    Once I've created an image using the dd tool on the target drive I want to perform some tests (i.e. like recover deleted files - I have a tool to do this and intent to use Win2K with this tool against the imaged drive.) What do I have to do to make or unimage the hd or can I just perform the dd image from one drive to another?

    I'm getting a bit lost now. But if there is a good url with this information (step by step) I'd be most appreciative. Otherwise someone with a bit of patience would help.

    Thanks

  2. #2
    Senior Member registered user
    Join Date
    Mar 2003
    Location
    colorado springs, colorado
    Posts
    1,933
    If you're using Knoppix 3.2 then there is a tool called 'partimage' already included. You can find it here: Kmenu>System>partimage

    This might be useful for what you wish to accomplish. It can image a drive but will not make an exact mirror, it only copys actual data. Here is the partimage web site:
    http://www.partimage.org/

  3. #3
    Member registered user
    Join Date
    Feb 2003
    Posts
    84
    This is a good page for learning about forensics in Unix:
    http://www.crazytrain.com/papers.html
    At the bottom of the page is an article about using dd.

  4. #4
    Senior Member registered user
    Join Date
    Mar 2003
    Location
    colorado springs, colorado
    Posts
    1,933
    Interesting forensics site:
    http://www.atstake.com/research/tools/task/

  5. #5
    Junior Member
    Join Date
    Mar 2003
    Posts
    9
    I don't think partimage is a good idea for forensics because it understands ext2 and other file systems and I believe it only backs up the data and not the empty space.

    You're probably better off with dd, and piping that across the network if you must (but to a local hard drive would be better).

    Make sure you boot with the "noswap" option, otherwise, Knoppix could try to use a swap partition it finds on the hard drive that you are responsible for protecting.

Similar Threads

  1. Question about using knoppix
    By Shopro in forum General Support
    Replies: 2
    Last Post: 05-12-2004, 09:12 PM
  2. a knoppix cd-rw question....plz help.
    By boris90210 in forum Tips and Tricks
    Replies: 1
    Last Post: 02-20-2004, 08:50 AM
  3. knoppix.sh question
    By redss in forum Customising & Remastering
    Replies: 3
    Last Post: 01-07-2004, 06:42 AM
  4. Grub settings, quick question... really my last question :p
    By mark1221 in forum Hdd Install / Debian / Apt
    Replies: 2
    Last Post: 11-01-2003, 10:32 PM
  5. Hacking & Forensic Software for Troubleshooting
    By reecegeorge in forum Customising & Remastering
    Replies: 0
    Last Post: 10-30-2003, 10:50 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


Vintage Apple Macintosh SE M5010 Computer w/ Keyboard  & mouse -power up- no OS picture

Vintage Apple Macintosh SE M5010 Computer w/ Keyboard & mouse -power up- no OS

$159.99



Vintage Apple IIe 2e iie Computer A2S2064  picture

Vintage Apple IIe 2e iie Computer A2S2064

$215.00



Vintage Apple Macintosh 512K / Mouse, Keyboard & Extras + Carry Case / Turns On picture

Vintage Apple Macintosh 512K / Mouse, Keyboard & Extras + Carry Case / Turns On

$260.00



Vintage Apple IIe Computer A2S2128 (825-1351-A) picture

Vintage Apple IIe Computer A2S2128 (825-1351-A)

$174.99



Vintage Apple Macintosh Color Classic picture

Vintage Apple Macintosh Color Classic

$399.00



PARTS: Vintage Apple Macintosh SE SuperDrive M5011 Keyboard Mouse Drive And CASE picture

PARTS: Vintage Apple Macintosh SE SuperDrive M5011 Keyboard Mouse Drive And CASE

$400.00



Vintage Classic Apple Macintosh System Boot Install Disk Floppy/CD *Pick Version picture

Vintage Classic Apple Macintosh System Boot Install Disk Floppy/CD *Pick Version

$10.39



Vintage Apple Extended Keyboard II M3501 Ivory Color picture

Vintage Apple Extended Keyboard II M3501 Ivory Color

$39.50



Vtg Apple IIGS Computer Only A2S6000  picture

Vtg Apple IIGS Computer Only A2S6000

$215.00



Vintage Apple A2M2010 Monitor II, Green Phosper CRT picture

Vintage Apple A2M2010 Monitor II, Green Phosper CRT

$99.99