Need help! Calling all Linux experts here.

Top Page
This message is part of the following thread:
M+++\the complete thread tree sorted by date
MMMMMBill Jonas at <-
MDavid Mandala at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: JD Austin
Date:  
Subject: Need help! Calling all Linux experts here.
Ernest Baca wrote:

> Hi All,
>
> I am a computer forensic examiner here in Phoenix. I use Linux as a
> tool for the examination of suspect computers. The one thing that is
> very important for evidentiary reasons is that the state of the drive
> does not change when you examine it. Basically the md5 hash before
> examination must match the hash after examination. I have made a
> bootable CD distro based on KNOPPIX to assist examiners in the live
> preview of suspect computers.
>
> Now here is the problem I face. I did some research and published a
> white paper that indicates that when you mount ext3 and reiserfs
> partitions read-only the state of the drive changes. Further
> reasearch which I did not publish showed that the mount count in the
> journal is what actually changed, but none the less it changed and
> that can be a disaster when it comes to evidentiary value believe it
> or not.
>
> Now I discovered that mounting an ext3 partition as an ext2 partition
> solved my ext3 problem, but reiser is a different story. Reiser
> demands low level write access to the journal. No matter how you
> mount it even using a loopback device, it changes. If you lock the
> drive with an hdpar -r reiser refuses to mount.
>
> Now down to what I need. I have seen some really great talent here
> and I need a person or group of people willing to tackle this issue.
> I am pretty certain that a hack will need to be done to the reiser fs
> that comes with the latest version of KNOPPIX or maybe someone has
> some idea of how to get around it. My goal is to place this solution
> on my CD full credit given of course.
>
> If anyone is intrested let me know here or at my website address. If
> several people are intrested I would like to get a working group going.
>
>
>
> Ernie Baca
>
> www.linux-forensics.com
>
> _________________________________________________________________
> MSN 8 with e-mail virus protection service: 2 months FREE*
> http://join.msn.com/?page=features/virus
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

use dd to write an image file of the drive to another device (say a usb
hard drive), dd doesn't mount it as far as I know.
You can examine the copy instead of mounting the original drive itself.
Something like dd if=/dev/hda of=suspect12345.img
Mount the image using the loopback device.

JD



This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Need help! Calling all Linux experts here.Need help! Calling all Linux experts here.->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)