Loading ...
Sorry, an error occurred while loading the content.
 

RE: [linux_forensics] Forensic copy in northern Virginia

Expand Messages
  • Pybus, David
    Thanks to all for the responses to my email. I certainly wouldn t call myself a newby in terms of Linux having been using it for nearly 10years now. If I
    Message 1 of 12 , Mar 1, 2004
      Thanks to all for the responses to my email. I certainly wouldn't
      call myself a "newby" in terms of Linux having been using it for
      nearly 10years now. If I want to write myself an iditoproof
      bootdisk from scratch I can certainly do that, and have in
      fact already investigated that possibility at some length. My
      question was simply whether or not something already existed,
      that was going to save me going to the effort. Clearly it
      doesn't exist so as and when I need one I will have to write
      my own. If I had wanted a list of basic components in Linux,
      such as ssh, DHCP and netcat, that could be used for forensic
      capture or anything else you might do with a linux machine then
      that would have been what I would have asked for.

      Kind regards,

      David Pybus


      [Non-text portions of this message have been removed]
    • Kalil Daniel Contr AFRL/IFGB
      Does such an appropriate bootdisk exist? . Lets not give up so quickly! Please provide more detailed information in the following areas: 1. Tell us exactly
      Message 2 of 12 , Mar 1, 2004
        'Does such an "appropriate bootdisk" exist?'.

        Lets not give up so quickly!

        Please provide more detailed information in the following areas:

        1. Tell us exactly what you mean by appropriate.
        2. List all of the things you would like your boot disk to accomplish
        3. List all of the things you would like your boot disk NOT to accomplish
        4. List any variables that you might incur when needing a boot disk.

        Please feel free to add to the list.

        Once you have provided all of this information, then maybe someone can tell
        you where to find the perfect boot disk.

        Thanks,

        Dan





        [Non-text portions of this message have been removed]
      • Pybus, David
        The sort of thing I had in mind was something like this: 1) Boot to a text menu. 2) The only user options would be: i) Configure an IP address, either manually
        Message 3 of 12 , Mar 1, 2004
          The sort of thing I had in mind was something like this:
          1) Boot to a text menu.
          2) The only user options would be:
          i) Configure an IP address, either manually or by DHCP
          ii) Optionally setting an IP address to accept connections
          from this could be controller with TCP wrappers, SSH,
          IP tables or all three.
          3) From the perspective of the person booting the system, once
          they it has booted they can't then do anything with it. The
          display probably gives some bland message and the IP conf.
          4) Examiner now connects with SSH from wherever to the system
          and runs whatever tools they want to use over SSH, where
          relevant tunelling whatever data they want to capture back
          over the SSH tunnel.
          5) Authentication would probably be key based.
          6) Obviously the system should not try to do anything clever
          like automatically mount drives.
          Other than that a kernel configured to have a maximum practical
          compatibility with network cards and SCSI adapters would also
          increase usefulness.

          The end objective would be to allow a preliminary forensic analysis
          of a systems disks before deciding that the disks or the entire
          system needs to be shipped half way accross Europe, but without
          destroying the possibility of doing an admissable forensic on it.
          Hence the requirement for the remote user to not be able to do
          anything other boot the machine and put an IP address in, i.e.
          the disk isn't intended for Linux newbies its intended for use by
          anyone in a scenario where you dont want the evidence tampered
          with - the end user could be a highly skilled Linux user (too much
          knowledge is a dangerous thing) or a Windows admin, it doesn't
          matter, to them the OS is arbitrary.

          I think such a think would be useful.

          Kind regards,

          David Pybus

          -----Original Message-----
          From: Kalil Daniel Contr AFRL/IFGB [mailto:daniel.kalil@...]
          Sent: 01 March 2004 14:05
          To: 'linux_forensics@yahoogroups.com'
          Subject: RE: [linux_forensics] Forensic copy in northern Virginia


          'Does such an "appropriate bootdisk" exist?'.

          Lets not give up so quickly!

          Please provide more detailed information in the following areas:

          1. Tell us exactly what you mean by appropriate.
          2. List all of the things you would like your boot disk to accomplish
          3. List all of the things you would like your boot disk NOT to accomplish
          4. List any variables that you might incur when needing a boot disk.

          Please feel free to add to the list.

          Once you have provided all of this information, then maybe someone can tell
          you where to find the perfect boot disk.

          Thanks,

          Dan





          [Non-text portions of this message have been removed]





          Yahoo! Groups Links






          [Non-text portions of this message have been removed]
        Your message has been successfully submitted and would be delivered to recipients shortly.