Re: preparing Honeypot hard drives

[Maximillian Dornseif <md () un bewaff net>]

On 16.10.2004, at 20:24, Lefti wrote:

> Hi all,
>
> Is there a difference between running "fdisk c:" on a honeypot (booted 
> from
> a boot floppy) in order to destroy all the partitions on the hard 
> drive, and
> running "dd bs=1000k < /dev/zero > /dev/sda" ??

No, when you are only want to destroy the partitions.
>

> I'm try to prepare
> my hard disk such that when it comes to doing forensics, I'm not 
> picking up
> data from old installations.

Than you really should use dd. To my knowledge several profilic 
honeypot operators where already bitten by previous OS installations 
when doing post mortem analysis. But use bs=1024 or some other power of 
2 instead of 1000 and things will be much faster.

Regards

Max Dornseif

--
Maximillian Dornseif, Dipl. Jur., CISSP
Laboratory for Dependable Distributed Systems, RWTH Aachen University
Tel. +49 241 80-21431 - http://md.hudora.de/