Forensics
P2V - Live Forensics Feb 15 2011 03:13PM
solefarmer gmail com (10 replies)
Re: P2V - Live Forensics Feb 22 2011 10:18AM
Dave Howe (DaveHowe pentest googlemail com) (1 replies)
Re: P2V - Live Forensics Feb 28 2011 04:59PM
Paul Schmehl (pschmehl_lists tx rr com) (1 replies)
RE: P2V - Live Forensics Mar 02 2011 09:36AM
David Howe (David Howe ansgroup co uk) (1 replies)
Re: P2V - Live Forensics Mar 03 2011 03:14AM
Chris Barber (cmbarber gmail com)
Re: P2V - Live Forensics Feb 21 2011 09:21PM
Adam Pal (pal_adam gmx net)
RE: P2V - Live Forensics Feb 21 2011 09:21AM
Brian Hitchen esure com
Re: P2V - Live Forensics Feb 19 2011 10:46AM
quark quark (quark maillist gmail com) (1 replies)
Re: P2V - Live Forensics Feb 21 2011 03:40AM
tchmielarski gmail com (1 replies)
Re: P2V - Live Forensics Feb 26 2011 12:51AM
Valdis Kletnieks vt edu
On Mon, 21 Feb 2011 03:40:51 GMT, tchmielarski (at) gmail (dot) com [email concealed] said:
> DD on a live system, using netcat (both exist for windows), will allow you to
> image to a separate system over the network.

Been there, done that, but only on machines I controlled enough to be assured
it was essentially a quiesced system, and not in a forensics mode. What are
people doing to deal with filesystem skew caused by activity during the hour or
two it can take to image over the network? It's one thing to lose a few 'last
accessed' times on files that were touched after they were copied, it's
something else when the resulting filesystem won't even fsck or chkdisk
properly because something major changed during the imaging.

This is particularly important if you're trying to be stealthy and image a
system that's being used - even innocent actions like renaming folders can
cause issues with the resulting image.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iD8DBQFNaE6ucC3lWbTT17ARAm0OAJ9Jt+sY+uUEhs7Rb/f9lpPV8gudUQCgksV+
hXguDOPRwBU4ylDpYJci6rQ=
=9II+
-----END PGP SIGNATURE-----

[ reply ]
Re: P2V - Live Forensics Feb 18 2011 04:55PM
Thomas Rozenbroek (trozenbr gmu edu)
RE: P2V - Live Forensics Feb 18 2011 01:36PM
Dan Gimenez (dan gimenez comcast net)
Re: P2V - Live Forensics Feb 18 2011 12:38AM
Erin Kenneally (erin elchemy org)
Re: P2V - Live Forensics Feb 17 2011 11:01PM
William Warren (hescominsoon emmanuelcomputerconsulting com)
Re: P2V - Live Forensics Feb 17 2011 10:54PM
w ahlstros (wahlstros gmail com)
RE: P2V - Live Forensics Feb 17 2011 10:52PM
Bahrs, Art (Arthur Bahrs providence org) (1 replies)
Re: P2V - Live Forensics Feb 21 2011 03:24AM
Paulo Cesar Breim (PCB) (paulo breim com br)


 

Privacy Statement
Copyright 2010, SecurityFocus