In addition to the other valuable responses to this question, I would like to add this: You made mention of the possible ramifications and compromise of data integrity this may lead to. Integrity is of the utmost importance in any investigation, particularly on the original evidence. This is why original evidence, particularly harddrives, should _NEVER_ be placed directly into a live machine. Make an initial copy, ideally with a hardware duplication device or dedicated application/Boot CD, and store it safely, using the duplicate for any investigation. In addition to safe storage, it is also advisable, where possible, to disable write functions on the drive/peripheral (such as hardware r/o jumpers on a harddrive) prior to deploying the device for forensic analysis. Regards, Anthony Hovis Chasteen wrote: > Greetings, > > While bench testing a new forensic computer I am > working on I noticed a potential problem using RH 8.0 > with grub. > > The computer is a P4, 2.4GHz, 1GB ram, 120GB HD loaded > with Windows XP, Red Hat 8.0 and grub as the dual boot > loader. Nothing special, just out of the box installs. > > I noticed if I attach another linux bootable drive to > the computer (/dev/hdc) when the computer boots, it > was trying to load the kernel, root and boot from > /dev/hdc not /dev/hda as I expected. I cloned hda and > put both in the computer (/dev/hda and /dev/hdc). > After reboot I checked /etc/mtab and found that I was > in-fact working on /dev/hdc instead of hda. > > I checked /boot/grub/grub.conf and found the > following: > > title Red Hat Linux 8.0 (2.4.18-14) > root (hd0,1) > kernel /vmlinuz-2.4.18-14 ro root=LABEL=/ > initrd /initrd-2.4.18-14.img > > I changed the kernel line to read “kernel > /vmlinuz-2.4.18-14 ro root=/dev/hda5” (hda5 is my root > partition). I rebooted the system and everything is > now as expected. My point here is obvious. If I had > installed a suspect hard drive on this stock install I > could be working on the original evidence and loose > data integrity. Not a good thing. > > I am not sure if this is new to 8.0 or grub but I did > not see this in RH7.3. If anyone has a better solution > or can explain LABEL to me, I’m all ears. > > Hovis Chasteen > > > __________________________________________________ > Do you Yahoo!? > Yahoo! Mail Plus - Powerful. Affordable. Sign up now. > http://mailplus.yahoo.com > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Jan 11 2003 - 17:50:53 PST