Some may recall my request for information related to using forensic
tools on an IBM AIX system with drives formatted as JFS. I thought I
would post how we did it - although delayed.
We quickly learned, after consulting with some of our comrades around
the beltway, that there is really not much in the way of tools available
to do a typical exam on JFS. We also learned from an AIX administrator
at a University that the best way, in his experience, is to mount the
JFS disks on another AIX system.
Although we had access to an RS6000, we decided to use another method.
We used SafeBack 2.0+ to image the drives and sent those images out on a
single drive. We restored the images and used 'dd' in Mac OS X (10.0.4)
to image again in 2GB segments. We then used Derrick Donnelly's Mac
Forensic Suite of tools to look at the 'dd' images and extract the
information we needed (mostly simple text based searches) on the 'dd'
image files.
This worked great and provided us with the necessary information.
Unfortunately a firewall had limited some of the traffic we were looking
for on the systems.
FYI if you should ever need to look at one of these systems in the
future, thanks to all those who responded with suggestions.
--
-Ke
SA Keith T. Schwalm || U.S. Secret Service
Financial Crimes Division || Washington, DC
Office 202.406.5850 || FAX 202.406.5031
http://www.treas.gov/usss/ || kschwalmat_private
"A computer provides you with the ability to make more mistakes faster
than any invention known to man...with the possible exception of
handguns and tequila." - Unknown
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 10 2001 - 14:12:07 PDT