On Sun, 6 Jan 2002 04:08, Jason Lim wrote: > From my experience, police like data untampered and in exactly the same > form and such when the intrusion occurred. That means the exact same > disks, not a tape backup or something. Sometimes backups can miss stuff, > or as mentione previously, the backup software itself could have been > rooted. Actually, it would be best to make a duplicate of the disk, USE > THE DUPLICATE, and give the police the original. If possible, just yank > the power out of the box... the reason being that if you use 'reboot' or > 'shutdown' or others, they usually run though the shutdown scripts, and > within the shutdown scripts the kiddies could've planted something there > as well. You never know. By yanking the power, no software can > write/modify the disks, and they are "preserved", more or less.
Good point. Also that means not running fsck! Sometimes there's interesting data in files that were deleted but open at the time, fsck will usually remove that data while debugfs can get it. -- http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/projects.html Projects I am working on http://www.coker.com.au/~russell/ My home page