On Mon, 14 Oct 2002 01:28:38 PDT, Alvin Oga said: > - if /root, /bin /sbin /lib /dev /etc is 90% full.... > it will not arbritrarily change size... Unless your hacker got spooked and decided to cover their tracks. > - if /home is 90% full and shrinks to 10% full ... you've got a problem > no matter which partitions/directories is full *EXACTLY*. And if you're copying the disk because /home has suddenly gone from 90% to 10% because you suspect somebody did a 'rm -rf' to cover their tracks, a 'tar' command is the WRONG thing to do - all the interesting data is almost certainly on the disk partition's free block list, where you'll need to 'dd' it and then use whatever 'unerase' command you need for that file system type. Bottom line - 'tar' is almost NEVER the right tool for a forensics backup, even if it is the right tool for a system backup.... -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
This archive was generated by hypermail 2b30 : Mon Oct 14 2002 - 09:08:17 PDT