Security Basics mailing list archives
RE: Digital Evidence Question - What is an effective Windows hard -disk search tool?
From: Gene LeDuc <Gene.LeDuc () tns-md com>
Date: Fri, 20 Jun 2003 13:34:48 -0400
I use linux for this because it leaves the NTFS file system completely unmodified. It doesn't diddle with any time stamps, hidden recycler folders or anything else. Everytime I've attached a new NTFS drive to a w2k system, it touches things on it during the boot process and the file system is no longer what I consider clean. My experience with doing this sort of thing is from a forensics perspective where you do not want anything on the target file system modified in any way, especially time stamps and unallocated disk space. I don't think linux is the do-all and end-all for computing, but I absolutely will not use Windows when I need to know what is going on beneath the skirts of the OS. And since I've been doing a lot of NTFS data recovery using linux recently, that was what popped into my mind when I read the original post. After I'd written my linux piece I realized that this person probably didn't care whether his NTFS system got tagged by another Windows OS or not, so I added the bit about strapping it to another Windows box. -----Original Message----- From: Raoul Armfield [mailto:armfield () amnh org] Sent: Thursday, June 19, 2003 9:32 AM To: security-basics () securityfocus com Subject: RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? :-----Original Message----- :From: Gene LeDuc [mailto:Gene.LeDuc () tns-md com] :Sent: Wednesday, June 18, 2003 6:20 PM :To: 'Wilcox, Stephen' :Cc: security-basics () securityfocus com :Subject: RE: Digital Evidence Question - What is an effective :Windows hard -disk search tool? : : :If all you want to do is recover the info, you can attach the :hard drive to :a linux box and mount the NTFS partition. From that point you :can browse :the NTFS file system and copy any files you want. Depending :on the flavor :and version of linux, you may have to load an NTFS driver; I believe :sourceforge has a read-only driver. If you don't have a linux :box hanging :around then I suppose you could also attach the drive to :another MS box and :access it natively. Let me start by saying I have learned a lot from this list. However, my question now is, why do so many of you try to solve everything using linux. I realize that linux is an excellent OS and a true NOS however, in this case isn't that like going to points C and D to get from A to B? Like Chris Berry said and Gene LeDuc conceded, simply drop it into a Win2K box as a slave and copy the files. Worse come to worse you take ownership of the files in question (you do have admin rights on a Win2K box right?) Sometimes we get lost in the simplicity of the answer. No need to load NTFS drivers in linux. Raoul --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------
Current thread:
- Re: Digital Evidence Question - What is an effective Windows hard -disk search tool?, (continued)
- Re: Digital Evidence Question - What is an effective Windows hard -disk search tool? Dana Epp (Jun 19)
- Re: Digital Evidence Question - What is an effective Windows hard -disk search tool? Ansgar Wiechers (Jun 19)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? Raoul Armfield (Jun 20)
- Re: Digital Evidence Question - What is an effective Windows hard -disk search tool? Ansgar Wiechers (Jun 23)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? Robinson, Sonja (Jun 19)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? David Olivier (Jun 19)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? Robinson, Sonja (Jun 19)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? Robinson, Sonja (Jun 21)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? dave klimen (Jun 23)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? Gene LeDuc (Jun 21)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? Gene LeDuc (Jun 21)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? Gene LeDuc (Jun 23)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? Robinson, Sonja (Jun 23)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? Robinson, Sonja (Jun 24)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? dave klimen (Jun 24)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? Clayton Hoskinson (Jun 25)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? George (Jun 26)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? Clayton Hoskinson (Jun 26)
- RE: Digital Evidence Question - What is an effective Windows hard -disk search tool? Robinson, Sonja (Jun 26)