[ale] (OT) data recovery - show and tell?

Greg Freemyer freemyer-ml at NorcrossGroup.com
Mon Apr 26 19:33:43 EDT 2004


On Mon, 2004-04-26 at 15:00, Michael D. Hirsch wrote:
> I think subject would make a fantastic presentation.  Would anyone like to 
> volunteer to present.  This would be a fabulous way for a consultant to 
> advertise their abilities, or a great opportunity for someone to get 
> motivated to learn this stuff.
> 
> If you are interested, please let me know.
> 
> Michael
> 
Michael, 

First off-topic:
====
How come I don't know about 'tac'.  I just found it in the below linux
for cops write-up.  Seems like the simple kind of program we should all
know.  

(ie. to review logs "tac /var/log/messages | less".  That way you see
the entries in reverse chronological order.)

Am I the only one who doesn't know this basic command?

====
Okay, on-topic:

We use commercial windows software to do data recovery.  I assume that
is taboo.

OTOH, there is white paper about using linux to do computer forensics of
linux systems (and data recovery of same) at

http://www.linux-forensics.com/linuxintro-LEFE-2.0.5.pdf

(A big part of computer forensics is the recovery of deleted files and
file fragments, so there is a lot of relevant info in this paper.)

The first third of the above whitepaper is basic linux stuff that most
people on this list know.  (Thankfully, tac is introduced in a latter
section.  I don't feel quite so ignorant.)

The other 2/3's are more interesting.  It could be the basis of either a
detailed computer forensics presentation, or data recovery.  (For data
recovery, you could just leave out some of the steps like calculating
the md5sum of the raw disk before and after making a working copy.)

I know there was a computer forensics presentation last summer, but it
was more conceptual with references to tools and their functionalities.

The above goes into actual command-line parameters, etc.  I have only
scanned it so far, but I think it would make an interesting basis for a
presentation.  (In particular it has 10 pages dedicated to autopsy, a
gui environment.)

I think it even has some disk images online that can be analysed and
files recovered.  The presentation could include some actual recoveries
from the sample.

I have never used linux to do data recovery, but if you don't have any
other takers I would consider giving the above a shot.

Greg
-- 
Greg Freemyer



More information about the Ale mailing list