Results 1 to 5 of 5

Thread: using knoppix for forensic (serious question)

  1. #1
    Junior Member
    Join Date
    Apr 2003
    Location
    Texas
    Posts
    1

    using knoppix for forensic (serious question)

    Hello;

    Any assistance will be appreciated.

    I have knoppix running from a cd. I'd like to image a IDE hd. I have 2 hds in the system. the one I want to image and a blank one. I'm a bit familiar with the dd utility to image a drive but I need a little hand holding.

    If the drive is say a 40 gig hd and i know that only about 6 gigs are used can I image the drive to a blank hd of 10 gig? If so what are the step - commands etc.

    will the dd tool also image deleted files and slack space?

    Once I've created an image using the dd tool on the target drive I want to perform some tests (i.e. like recover deleted files - I have a tool to do this and intent to use Win2K with this tool against the imaged drive.) What do I have to do to make or unimage the hd or can I just perform the dd image from one drive to another?

    I'm getting a bit lost now. But if there is a good url with this information (step by step) I'd be most appreciative. Otherwise someone with a bit of patience would help.

    Thanks

  2. #2
    Senior Member registered user
    Join Date
    Mar 2003
    Location
    colorado springs, colorado
    Posts
    1,933
    If you're using Knoppix 3.2 then there is a tool called 'partimage' already included. You can find it here: Kmenu>System>partimage

    This might be useful for what you wish to accomplish. It can image a drive but will not make an exact mirror, it only copys actual data. Here is the partimage web site:
    http://www.partimage.org/

  3. #3
    Member registered user
    Join Date
    Feb 2003
    Posts
    84
    This is a good page for learning about forensics in Unix:
    http://www.crazytrain.com/papers.html
    At the bottom of the page is an article about using dd.

  4. #4
    Senior Member registered user
    Join Date
    Mar 2003
    Location
    colorado springs, colorado
    Posts
    1,933
    Interesting forensics site:
    http://www.atstake.com/research/tools/task/

  5. #5
    Junior Member
    Join Date
    Mar 2003
    Posts
    9
    I don't think partimage is a good idea for forensics because it understands ext2 and other file systems and I believe it only backs up the data and not the empty space.

    You're probably better off with dd, and piping that across the network if you must (but to a local hard drive would be better).

    Make sure you boot with the "noswap" option, otherwise, Knoppix could try to use a swap partition it finds on the hard drive that you are responsible for protecting.

Similar Threads

  1. Question about using knoppix
    By Shopro in forum General Support
    Replies: 2
    Last Post: 05-12-2004, 09:12 PM
  2. a knoppix cd-rw question....plz help.
    By boris90210 in forum Tips and Tricks
    Replies: 1
    Last Post: 02-20-2004, 08:50 AM
  3. knoppix.sh question
    By redss in forum Customising & Remastering
    Replies: 3
    Last Post: 01-07-2004, 06:42 AM
  4. Grub settings, quick question... really my last question :p
    By mark1221 in forum Hdd Install / Debian / Apt
    Replies: 2
    Last Post: 11-01-2003, 10:32 PM
  5. Hacking & Forensic Software for Troubleshooting
    By reecegeorge in forum Customising & Remastering
    Replies: 0
    Last Post: 10-30-2003, 10:50 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  


1TB/2TB USB 3.0 Flash Drive Thumb U Disk Memory Stick Pen PC Laptop Storage lot picture

1TB/2TB USB 3.0 Flash Drive Thumb U Disk Memory Stick Pen PC Laptop Storage lot

$80.39



USB Flash Drive Memory Stick Pendrive Thumb Drive 4GB, 8GB, 32GB, 64GB 128GB LOT picture

USB Flash Drive Memory Stick Pendrive Thumb Drive 4GB, 8GB, 32GB, 64GB 128GB LOT

$230.40



Sandisk 16GB 32GB 64GB 128GB Cruzer Blade Flash Drive Memory Stick USB Lot Pack picture

Sandisk 16GB 32GB 64GB 128GB Cruzer Blade Flash Drive Memory Stick USB Lot Pack

$138.90



Type C USB 3.0 Flash Drive Thumb Drive Memory Stick for PC Laptop 1TB 2TB lot picture

Type C USB 3.0 Flash Drive Thumb Drive Memory Stick for PC Laptop 1TB 2TB lot

$73.29



Sandisk 8GB 16GB 32GB 64GB Cruzer Blade Flash Drive Memory Stick USB Lot Pack picture

Sandisk 8GB 16GB 32GB 64GB Cruzer Blade Flash Drive Memory Stick USB Lot Pack

$4.98



2TB USB 3.0 Flash Drive Memory Photo Stick for iPhone Android iPad Type C 4 IN1 picture

2TB USB 3.0 Flash Drive Memory Photo Stick for iPhone Android iPad Type C 4 IN1

$11.25



64GB USB 3.0 Flash Drive USB Memory Stick High Speed Retractable USB Thumb Drive picture

64GB USB 3.0 Flash Drive USB Memory Stick High Speed Retractable USB Thumb Drive

$6.99



SanDisk Cruzer Blade 32GB USB 2.0 Flash Drive Thumb Memory Stick Pen SCDZ50 32G picture

SanDisk Cruzer Blade 32GB USB 2.0 Flash Drive Thumb Memory Stick Pen SCDZ50 32G

$5.75



USB Flash Drive Thumb Drive Memory Stick Pendrive 4GB, 8GB, 32GB, 64GB 128GB LOT picture

USB Flash Drive Thumb Drive Memory Stick Pendrive 4GB, 8GB, 32GB, 64GB 128GB LOT

$308.13



SAMSUNG BAR Plus USB 3.1 Flash Thumb Jump Drive USB Stick in Gunmetal Titan Gray picture

SAMSUNG BAR Plus USB 3.1 Flash Thumb Jump Drive USB Stick in Gunmetal Titan Gray

$59.95