hi ya i think we're all saying the same thing... ( never intended to use tar to make a disk image/forensic copy ) but was pointing out, that dd might have some problems with badblock, and i think that software can mark blocks as bad on the drives too .. otherwise, why bother with a bad-block check during formatting.. and yes.. the disk controller itself can also mark blocks as bad.. have fun alvin On Mon, 14 Oct 2002 Valdis.Kletnieksat_private wrote: > On Mon, 14 Oct 2002 01:28:38 PDT, Alvin Oga said: > > - if /root, /bin /sbin /lib /dev /etc is 90% full.... > > it will not arbritrarily change size... > > Unless your hacker got spooked and decided to cover their tracks. > > > - if /home is 90% full and shrinks to 10% full ... you've got a problem > > no matter which partitions/directories is full > > *EXACTLY*. And if you're copying the disk because /home has suddenly > gone from 90% to 10% because you suspect somebody did a 'rm -rf' to cover > their tracks, a 'tar' command is the WRONG thing to do - all the interesting > data is almost certainly on the disk partition's free block list, where you'll > need to 'dd' it and then use whatever 'unerase' command you need for that file > system type. > > Bottom line - 'tar' is almost NEVER the right tool for a forensics backup, > even if it is the right tool for a system backup.... > -- > Valdis Kletnieks > Computer Systems Senior Engineer > Virginia Tech > > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 15 2002 - 17:55:27 PDT