foremost and data forensics

[monkeywebdaemon at googlemail.com (Monkey Daemon)]

So can I image the partition in "realtime" or do I need to take the
server off-line and boot from a live cd?

MWD.

2010/1/18 Tim Krabec <tkrabec at gmail.com>:
> I would recommend that you image the drive, then you can try multiple things
> with out risk of damaging the original content.? As we're all aware sometime
> the how-tos and directions can need a bit of tweaking, there's nothing like
> being able to get a second chance or third or fourth when learning.
>
>
>
> On Mon, Jan 18, 2010 at 2:57 PM, Monkey Daemon
> <monkeywebdaemon at googlemail.com> wrote:
> > Hi all,
> >
> > I've been asked to search a computer for files that have been deleted
> > recently.
> >
> > As far as I am aware the disks have not been wiped (the directory
> > structure appears to be intact) and there is no need for this to pbe
> > presented in a court of law.
> >
> > I've looked at foremost and it appears to only apply to a given partition.
> >
> > As I am only interested in a particular directory and the disk partion
> > that the directory resides on is an ext3 LVM volume, are there any
> > risks in using foremost to recover this data?
> >
> > Kind regards,
> >
> > MWD
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
>
>
>
> --
> Tim Krabec
> Kracomp
> 772-597-2349
> smbminute.com
> kracomp.blogspot.com
> www.kracomp.com
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com