Re: preparing Honeypot hard drives

[Patrick McCarty <mccartyp () apu edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi Lefty,

fdisk will only modify the partition table stored at the beginning of the disk, leaving the rest of the data on the 
disk intact.

a dd command similar to what you describe however would zero the entire device, which is of course preferable if you 
plan on doing forensics later.

So... Go with the dd option :)

- -- patrick

On Sat, Oct 16, 2004 at 07:24:32PM +0100, Lefti wrote:
> Hi all,
>
> Is there a difference between running "fdisk c:" on a honeypot (booted from
> a boot floppy) in order to destroy all the partitions on the hard drive, and
> running "dd bs=1000k < /dev/zero > /dev/sda" ??
>
> The fdisk command will be much easier to deliver because as far as I know,
> the 'dd' command for win32 will only run within windows.  I'm try to prepare
> my hard disk such that when it comes to doing forensics, I'm not picking up
> data from old installations.
>
> Many thanks,
>
> Lefti
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQFBce3lpPYocrgNjZgRAojsAKDK64aw0/GO3kWrL3CSHrsZQU1GhACfbQSm
pDWgPn2nA7fQ/nprjAOBvH4=
=h2BY
-----END PGP SIGNATURE-----