[Pauldotcom] foremost and data forensics
monkeywebdaemon at googlemail.com
Tue Jan 19 09:04:52 UTC 2010
So can I image the partition in "realtime" or do I need to take the
server off-line and boot from a live cd?
2010/1/18 Tim Krabec <tkrabec at gmail.com>:
> I would recommend that you image the drive, then you can try multiple things
> with out risk of damaging the original content. As we're all aware sometime
> the how-tos and directions can need a bit of tweaking, there's nothing like
> being able to get a second chance or third or fourth when learning.
> On Mon, Jan 18, 2010 at 2:57 PM, Monkey Daemon
> <monkeywebdaemon at googlemail.com> wrote:
>> Hi all,
>> I've been asked to search a computer for files that have been deleted
>> As far as I am aware the disks have not been wiped (the directory
>> structure appears to be intact) and there is no need for this to pbe
>> presented in a court of law.
>> I've looked at foremost and it appears to only apply to a given partition.
>> As I am only interested in a particular directory and the disk partion
>> that the directory resides on is an ext3 LVM volume, are there any
>> risks in using foremost to recover this data?
>> Kind regards,
>> Pauldotcom mailing list
>> Pauldotcom at mail.pauldotcom.com
>> Main Web Site: http://pauldotcom.com
> Tim Krabec
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> Main Web Site: http://pauldotcom.com
More information about the Pauldotcom