Re: NTFS forensic analysis on Unix platform

From: adamdat_private
Date: Thu Jul 26 2001 - 17:43:46 PDT

Next message: Ariel Waissbein: "Re: Signature on logs/eMail"

Previous message: William D. Colburn (aka Schlake): "Re: Signature on logs/eMail"
In reply to: mat_private: "NTFS forensic analysis on Unix platform"
Next in thread: Michael D. Barwise, BSc, IEng, MIIE: "Re: NTFS forensic analysis on Unix platform"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,
openBSD just doesnt have the FS support at this time. i would NOT
recommend using the original images, make a copy of them first or write
it to a new drive.
you should never do anything that may change the original image as you
would be altering the evidence. Disturbingly it seems to be a common
practice.

a linux or a native nt/w2k box is your best bet ..keep in mind the linux
NTFS support and NT4 doesnt fully support ntfs 3.* (the fs for win2k).

Adam Daniel


Technical Consultant
-----------------------------------------------------------------------
FORENSIC DATA SERVICES PTY LIMITED
http://www.forensicdata.com.au
------------------------------------------------------------------------
The information contained in this e-mail is confidential and is
intended solely for the addressee. If you received this e-mail by
mistake please notify us immediately and delete all copies of this
message. You must not disclose or use in any way the information in the
e-mail. It is the responsibility of the recipient to virus scan this
e-mail and any attachments included.


On Wed, 25 Jul 2001 mat_private wrote:
>  Hi.
>
>  I have taken 2 disk images from a compromised IIS system.
> These images are in NTFS format, and I was wondering if
> anyone knows of an open source tool which is capable of
> accessing these partitions. The Unix platform that I have
> available is OpenBSD; so I can't mount the NTFS partitions.
>
>  In the past I've used tct; but unrm doesn't currently
> support ntfs filesystems.
>
>  Any advice would be greatly appreciated.
>
> thanks,
> Marty.
>
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com





-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ariel Waissbein: "Re: Signature on logs/eMail"
Previous message: William D. Colburn (aka Schlake): "Re: Signature on logs/eMail"
In reply to: mat_private: "NTFS forensic analysis on Unix platform"
Next in thread: Michael D. Barwise, BSc, IEng, MIIE: "Re: NTFS forensic analysis on Unix platform"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jul 29 2001 - 09:13:09 PDT