Honeypots mailing list archives
Re: preparing Honeypot hard drives
From: Maximillian Dornseif <md () un bewaff net>
Date: Sun, 17 Oct 2004 08:27:19 +0200
On 16.10.2004, at 20:24, Lefti wrote:
Hi all,Is there a difference between running "fdisk c:" on a honeypot (booted from a boot floppy) in order to destroy all the partitions on the hard drive, andrunning "dd bs=1000k < /dev/zero > /dev/sda" ??
No, when you are only want to destroy the partitions.
I'm try to preparemy hard disk such that when it comes to doing forensics, I'm not picking updata from old installations.
Than you really should use dd. To my knowledge several profilic honeypot operators where already bitten by previous OS installations when doing post mortem analysis. But use bs=1024 or some other power of 2 instead of 1000 and things will be much faster.
Regards Max Dornseif -- Maximillian Dornseif, Dipl. Jur., CISSP Laboratory for Dependable Distributed Systems, RWTH Aachen University Tel. +49 241 80-21431 - http://md.hudora.de/
Current thread:
- preparing Honeypot hard drives Lefti (Oct 16)
- Re: preparing Honeypot hard drives Patrick McCarty (Oct 17)
- Re: preparing Honeypot hard drives Maximillian Dornseif (Oct 17)