Anti-forensic tools

[irongeek at irongeek.com (Adrian Crenshaw)]

You are right Wright, I here by dub you king of the LemonWipe. :)

Adrian

On Thu, Jul 2, 2009 at 5:15 PM, Joshua Wright <jwright at hasborg.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I just wanted to point out that my post about copying lemonparty.jpg is
> the only one that works natively on Windows, the target platform based
> on the use of "of=\\.\f:".  ;P
>
> Points for the person who figures out how to do this with a Windows FOR
> loop.
>
> - -Josh
>
> Grymoire wrote:
> > > dd if=lemonparty.jpg of=\\.\f: bs=512
> >
> > first of all, there is no need to use if= and of= - that's provided as
> > a backwards compatability to JCL (HELLO! we're talking punched cards)
> > Use < and < instead.
> >
> > i.e.
> >
> >  dd <lemonparty.jpg >\\.\f: bs=512
> >
> > And yes, when the end of file is reached, dd will halt.
> > It does not loop the data.
> > Perhaps you can
> >
> >               1) seek blocks before writing
> >
> >               2) Use a bigger file
> >
> > For number 1, I think you can do something like (untested)
> >
> > count=0
> > while [ $count -lt 500 ]
> > do
> >  dd <lemonparty.jpg >\\.\f: seeek=$count bs=512
> >  count=`expr $count + 1`
> > done
> >
> >
> > For #2, you can use any of these sources of data:
> >               yes | dd bs=512 count=500 >\\.\f:
> >               no | dd bs=512 count=500 >\\.\f:
> >               dd bs=512 count=500 </dev/zero  >\\.\f:
> >               dd bs=512 count=500 </dev/urandom  >\\.\f:
> >
> >
> > Usually people use the last one.
> >
> > And they repeat it if they want to make sure the data has been
> overwritten.
> > I suppose you could do
> > while true
> > do
> >               cat lemonparty.jpg
> > done | dd bs=512 count=500 >\\.\f:
> >
> >
> > Hope that helps
> > (new member here - first post)
> >
> > Grymoire
> >
> >
> >
> >
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
>
> iEYEARECAAYFAkpNI4MACgkQapC4Te3oxYxl4ACfVa5Q1gwsXdVoyqsUkMS9WgeI
> Y8AAoIzcsWhK3C3tlS6hj60yN6+yW22j
> =Ss8C
> -----END PGP SIGNATURE-----
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090703/44c3f0bb/attachment.htm