Re: Forensics on IBM AIX (with JFS)

From: adam (adamdat_private)
Date: Mon Sep 10 2001 - 23:24:50 PDT

Next message: Blurred Vision: "re: Special case in investigation"

Previous message: Wall, Kevin: "RE: Solid State HDD Data Recovery?"
In reply to: Keith Schwalm: "Forensics on IBM AIX (with JFS)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Keith,
Where can we get a copy of Derrick Donnelly's MAC forensics tools?
Thanks in advance.

Adam

On Mon, 10 Sep 2001, Keith Schwalm wrote:
<CHOP>
>
> We used SafeBack 2.0+ to image the drives and sent those images out on a
> single drive.  We restored the images and used 'dd' in Mac OS X (10.0.4)
> to image again in 2GB segments.  We then used Derrick Donnelly's Mac
> Forensic Suite of tools to look at the 'dd' images and extract the
> information we needed (mostly simple text based searches) on the 'dd'
> image files.

>
> This worked great and provided us with the necessary information.
> Unfortunately a firewall had limited some of the traffic we were looking
> for on the systems.
>
> FYI if you should ever need to look at one of these systems in the
> future, thanks to all those who responded with suggestions.
>
> --
> -Ke
>
>           SA Keith T. Schwalm || U.S. Secret Service
>     Financial Crimes Division || Washington, DC
>           Office 202.406.5850 || FAX 202.406.5031
>    http://www.treas.gov/usss/ || kschwalmat_private
>
> "A computer provides you with the ability to make more mistakes faster
> than any invention known to man...with the possible exception of
> handguns and tequila." - Unknown
>
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
Adam Daniel

Technical Consultant
-----------------------------------------------------------------------
FORENSIC DATA SERVICES PTY LIMITED
http://www.forensicdata.com.au
------------------------------------------------------------------------
The information contained in this e-mail is confidential and is
intended solely for the addressee. If you received this e-mail by
mistake please notify us immediately and delete all copies of this
message. You must not disclose or use in any way the information in the
e-mail. It is the responsibility of the recipient to virus scan this
e-mail and any attachments included.




-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Blurred Vision: "re: Special case in investigation"
Previous message: Wall, Kevin: "RE: Solid State HDD Data Recovery?"
In reply to: Keith Schwalm: "Forensics on IBM AIX (with JFS)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 12 2001 - 10:31:19 PDT