On Wed, 16 Jan 2002, Jarrod Frates wrote:
{snip}
> I use Ghost more to avoid modifying files. I can Ghost the drive, and
> then use Ghostwalker (part of the package) to peruse the image file and
> pull copies of anything I need to examine more closely.
...
> One of the nicer things about the newer versions of Ghost is the
> built-in CD-R/CD-RW support, complete with spanning. I'm hoping for
> DVD+RW support in the next version. Spanning 8-10 CDs sucks.
...
> At the same time, I also have a couple of wipedisk utilities to mess
> with anyone who wants to look into my tracks.
Forget CDs or DVDs. Buy a bunch of big hard drives (they're cheaper
than dirt) and get some removeable trays, and build yourself a new PC for
imaging disks with. Find someone's bootable CD Linux (TRINUX is great) and
stick it in. After it boots, login and do this:
dd if=/dev/hda of=/dev/hdb
And watch the blinking lights for a couple hours.
The dd utility is your friend. The if= and of= commands tell it which
input file or output file to use. /dev/hda is your original source
IDE(master) disk, and /dev/hdb is your new copy (slave) disk. Just make
sure your copy disk is larger than the original. When it's done a prompt
will show up. At this point you can just turn off the PC if you want, and
secure the original.
If you ever need to reuse a drive, you should make sure it's clean first.
Do this:
dd if=/dev/urandom of=/dev/hdb
dd if=/dev/zero of=/dev/hdb
The using the /dev/urandom file lets you spew random trash over the drive,
using /dev/zero wipes the disk clean. Kind of like soap and water for your
dirty disk. Most people are happy with this, although the truly paraniod
will want to repeat it a couple of times.
An since you're now a Linux pro, you can do things like this:
dd if=/dev/hda | strings > interesting-data.bin
which will scan through the disk and pull out anything that looks like a
word and put it into a file for you. (watch out, it might be a big
file...)
Disclaimer: Regular readers of this list will of course have several
refinements to suggest. The above is meant as a simple introduction to the
process to demonstrate how easy it is, not as a definitive reference.
Commercial packages such as Encase are more readily accepted, and perhaps
harder to screw up, etc, etc...
Cheers!
---
Richard Chadderton
mailto:richardat_private
http://chadderton.com/resume
cell: +1 (604) 209-5313
home: +1 (604) 254-1606
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 17 2002 - 18:41:47 PST