Anti-forensic tools

[strandjs at gmail.com (John Strand)]

Ed?

Ed?

I think I hear him coming...

Wait for it........

On Jul 3, 2009, at 7:15 AM, Joshua Wright wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I just wanted to point out that my post about copying lemonparty.jpg  
> is
> the only one that works natively on Windows, the target platform based
> on the use of "of=\\.\f:".  ;P
>
> Points for the person who figures out how to do this with a Windows  
> FOR
> loop.
>
> - -Josh
>
> Grymoire wrote:
> > > dd if=lemonparty.jpg of=\\.\f: bs=512
> >
> > first of all, there is no need to use if= and of= - that's provided  
> > as
> > a backwards compatability to JCL (HELLO! we're talking punched cards)
> > Use < and < instead.
> >
> > i.e.
> >
> > dd <lemonparty.jpg >\\.\f: bs=512
> >
> > And yes, when the end of file is reached, dd will halt.
> > It does not loop the data.
> > Perhaps you can
> >
> >              1) seek blocks before writing
> >
> >              2) Use a bigger file
> >
> > For number 1, I think you can do something like (untested)
> >
> > count=0
> > while [ $count -lt 500 ]
> > do
> > dd <lemonparty.jpg >\\.\f: seeek=$count bs=512
> > count=`expr $count + 1`
> > done
> >
> >
> > For #2, you can use any of these sources of data:
> >              yes | dd bs=512 count=500 >\\.\f:
> >              no | dd bs=512 count=500 >\\.\f:
> >              dd bs=512 count=500 </dev/zero  >\\.\f:         
> >              dd bs=512 count=500 </dev/urandom  >\\.\f:              
> >
> >
> > Usually people use the last one.
> >
> > And they repeat it if they want to make sure the data has been  
> > overwritten.
> >
> >
> > I suppose you could do
> > while true
> > do
> >              cat lemonparty.jpg
> > done | dd bs=512 count=500 >\\.\f:
> >
> >
> > Hope that helps
> > (new member here - first post)
> >
> > Grymoire
> >
> >
> >                              
> >
> >
> > _______________________________________________
> > Pauldotcom mailing list
> > Pauldotcom at mail.pauldotcom.com
> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> > Main Web Site: http://pauldotcom.com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
>
> iEYEARECAAYFAkpNI4MACgkQapC4Te3oxYxl4ACfVa5Q1gwsXdVoyqsUkMS9WgeI
> Y8AAoIzcsWhK3C3tlS6hj60yN6+yW22j
> =Ss8C
> -----END PGP SIGNATURE-----
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090703/c73c5383/attachment.htm