Re: More info on dd? -

From: Valdis.Kletnieksat_private
Date: Mon Oct 14 2002 - 09:04:22 PDT

Next message: Seth Arnold: "Re: Time stamping securely"

Previous message: Christopher Hyde: "RE: Time stamping securely"
In reply to: Alvin Oga: "Re: More info on dd? -"
Next in thread: Alvin Oga: "Re: More info on dd? - tqr"
Next in thread: Seth Arnold: "Re: More info on dd? -"
Reply: Alvin Oga: "Re: More info on dd? - tqr"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 14 Oct 2002 01:28:38 PDT, Alvin Oga said:
> - if /root, /bin /sbin /lib /dev  /etc is 90% full....
>   it will not arbritrarily change size...

Unless your hacker got spooked and decided to cover their tracks.

> - if  /home is 90% full and shrinks to 10% full ...  you've got a problem
>   no matter which partitions/directories is full

*EXACTLY*.  And if you're copying the disk because /home has suddenly
gone from 90% to 10% because you suspect somebody did a 'rm -rf' to cover
their tracks, a 'tar' command is the WRONG thing to do - all the interesting
data is almost certainly on the disk partition's free block list, where you'll
need to 'dd' it and then use whatever 'unerase' command you need for that file
system type.

Bottom line - 'tar' is almost NEVER the right tool for a forensics backup,
even if it is the right tool for a system backup....
-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

application/pgp-signature attachment: stored

Next message: Seth Arnold: "Re: Time stamping securely"
Previous message: Christopher Hyde: "RE: Time stamping securely"
In reply to: Alvin Oga: "Re: More info on dd? -"
Next in thread: Alvin Oga: "Re: More info on dd? - tqr"
Next in thread: Seth Arnold: "Re: More info on dd? -"
Reply: Alvin Oga: "Re: More info on dd? - tqr"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Oct 14 2002 - 09:08:17 PDT