If you have another NT box, you could try using "forensictoolkit20.zip" or similar tools to look for deleted files and the like; just don't do this on your master copy, since NT will want to be able to write on the disks. You could in principle use the NTFS driver in Linux also but that would require putting a copy of linux on your box and adding the NTFS support (which is not default present on the dists I use). You can of course look for textual patterns by grepping the raw partition in the occasional case where that is enough. Have a look on securityfocus.com and packetstormsecurity.org and a few forensics sites like http://www.cybersnitch.net/tucofs/tucofs.asp?mode=mainmenu and http://www.dmares.com/maresware/forensic_tools.htm (to name a couple) for such tools. In a mixed shop I prefer to have at least a separate disk with bootable NT or W2K on it in addition to a Linux disk so I can access disk images. You need something that understands the file structure to be able to look for what went wrong in a finite time. The least costly way may be to just get an old box, throw Linux on it, and build as many filesystem support pieces as possible. Linux filesystem reading utilities exist for an astounding variety of filesystems. Many are unable to write, or unsafe for writing, but that is less important than the reading they CAN do. -----Original Message----- From: mat_private [mailto:mat_private] Sent: Wednesday, July 25, 2001 9:26 AM To: forensicsat_private Subject: NTFS forensic analysis on Unix platform Hi. I have taken 2 disk images from a compromised IIS system. These images are in NTFS format, and I was wondering if anyone knows of an open source tool which is capable of accessing these partitions. The Unix platform that I have available is OpenBSD; so I can't mount the NTFS partitions. In the past I've used tct; but unrm doesn't currently support ntfs filesystems. Any advice would be greatly appreciated. thanks, Marty. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 13:56:52 PDT