On Wed, 16 Jan 2002, Jarrod Frates wrote: {snip} > I use Ghost more to avoid modifying files. I can Ghost the drive, and > then use Ghostwalker (part of the package) to peruse the image file and > pull copies of anything I need to examine more closely. ... > One of the nicer things about the newer versions of Ghost is the > built-in CD-R/CD-RW support, complete with spanning. I'm hoping for > DVD+RW support in the next version. Spanning 8-10 CDs sucks. ... > At the same time, I also have a couple of wipedisk utilities to mess > with anyone who wants to look into my tracks. Forget CDs or DVDs. Buy a bunch of big hard drives (they're cheaper than dirt) and get some removeable trays, and build yourself a new PC for imaging disks with. Find someone's bootable CD Linux (TRINUX is great) and stick it in. After it boots, login and do this: dd if=/dev/hda of=/dev/hdb And watch the blinking lights for a couple hours. The dd utility is your friend. The if= and of= commands tell it which input file or output file to use. /dev/hda is your original source IDE(master) disk, and /dev/hdb is your new copy (slave) disk. Just make sure your copy disk is larger than the original. When it's done a prompt will show up. At this point you can just turn off the PC if you want, and secure the original. If you ever need to reuse a drive, you should make sure it's clean first. Do this: dd if=/dev/urandom of=/dev/hdb dd if=/dev/zero of=/dev/hdb The using the /dev/urandom file lets you spew random trash over the drive, using /dev/zero wipes the disk clean. Kind of like soap and water for your dirty disk. Most people are happy with this, although the truly paraniod will want to repeat it a couple of times. An since you're now a Linux pro, you can do things like this: dd if=/dev/hda | strings > interesting-data.bin which will scan through the disk and pull out anything that looks like a word and put it into a file for you. (watch out, it might be a big file...) Disclaimer: Regular readers of this list will of course have several refinements to suggest. The above is meant as a simple introduction to the process to demonstrate how easy it is, not as a definitive reference. Commercial packages such as Encase are more readily accepted, and perhaps harder to screw up, etc, etc... Cheers! --- Richard Chadderton mailto:richardat_private http://chadderton.com/resume cell: +1 (604) 209-5313 home: +1 (604) 254-1606 ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 17 2002 - 18:41:47 PST