Re: RFC: VMWare talk for MerriLUG Nov meeting
On 10/22/06, Tom Buskey [EMAIL PROTECTED] wrote: Or, you have several low CPU usage systems that are on thier own systems: license server, DNS/NIS, AD, DHCP, LDAP? Instead of 4 systems using 10% cpu, you have 1 using 50% cpu. ObLinuxPlug This is a lot more advantageous in the Windows world, where it's a best practice not to run more than one service on a machine, since the lack of any kind of real package management on 'doze means installing two different products on the same computer puts you into a kind of SCM limbo. /ObLinuxPlug -- Ben, who works with 'doze at the day job ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: [GNHLUG] CentraLUG, November 6th: Andy Bair and Digital Forensic File Carving Techniques
On Oct 23, 2006, at 9:41 AM, Ed Lawson wrote: What is file carving? Slicing out files of interest? Exactly right! In many investigations a computer forensics person might get a portion of a hard drive where some information (partition tables, allocation tables) has been overwritten or destroyed, and needs to attempt to extract files from what remains. Andy was on a forensic team that took such a challenge as part of a contest with the Digital Forensic Research Workshop (http://www.dfrws.org) and then enhanced existing tools and developed some new techniques to make data carving easier. Ted Roche Ted Roche Associates, LLC http://www.tedroche.com ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
[GNHLUG] CentraLUG, November 6th: Andy Bair and Digital Forensic File Carving Techniques
The monthly meeting of CentraLUG, the Concord/Central NH GNHLUG chapter, happens the first Monday of (most) month on the New Hampshire Institute Campus starting at 7 PM. Directions and maps are available on the NHTI site at http:// www.nhti.edu/welcome/directions.htm. This month, we'll be meeting in the Library/Learning Center/Bookstore, room 146, marked as I on that map. The main meeting starts at 7 PM, and we finish by 9 PM. Open to the public. Tell your friends. For November's meeting, Andy Bair will present Digital Forensic File Carving Techniques. Data carving techniques are used during digital forensic investigations and existing file carving tools typically produce many false positives. This briefing describes new tools and techniques used by the winning team of the the 2006 File Carving Challenge held at the 6th Annual Digital Forensic Research Workshop (DFRWS). The current briefing is also located here: [1] In December, Tim Link of Computerborough [2] will present TrixBox[3], the Linux distro for running the Asterisk PBX software [4], formerly known as Asterisk @ Home. January's meeting falls on the first, so we'll likely skip the month's meeting. However, stay tuned for some exciting meetings coming up in 2007! More details on the group and directions to the meeting at http:// www.gnhlug.org. [1] http://www.korelogic.com/Resources/Projects/dfrws_challenge_2006/ DFRWS_2006_File_Carving_Challenge.pdf [2] http://www.computerborough.com [3] http://www.trixbox.org [4] http://www.asterisk.org Ted Roche Ted Roche Associates, LLC http://www.tedroche.com ___ gnhlug-announce mailing list gnhlug-announce@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-announce/ ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: [GNHLUG] CentraLUG, November 6th: Andy Bair and Digital Forensic File Carving Techniques
On Mon, 23 Oct 2006 09:13:44 -0400 Ted Roche [EMAIL PROTECTED] wrote: For November's meeting, Andy Bair will present Digital Forensic File Carving Techniques. Data carving techniques are used during digital forensic investigations and existing file carving tools typically produce many false positives. What is file carving? Slicing out files of interest? Ed Lawson -- Edward E. Lawson, Esq. Lawson Persson, PC 67 Water Street, Suite 103 Laconia, NH 03246 Tel: 603-528-0036 FAX:603-528-3332 NOTICE REGARDING CONFIDENTIALITY AND ATTORNEY/CLIENT PRIVILEGE This message, including any attachments, is a PRIVATE communication which may contain attorney/client privileged material and is for the exclusive use of the intended recipient. If you are not the intended recipient, please do not read, copy, use, or disclose to others. If you have received this message in error, please reply to sender and delete this message from your system. Thank you. ___ gnhlug-announce mailing list gnhlug-announce@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-announce/ ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: [GNHLUG] CentraLUG, November 6th: Andy Bair and Digital Forensic File Carving Techniques
On 10/23/06, Ted Roche [EMAIL PROTECTED] wrote: On Oct 23, 2006, at 9:41 AM, Ed Lawson wrote: What is file carving? Slicing out files of interest? Exactly right! In many investigations a computer forensics person might get a portion of a hard drive where some information (partition tables, allocation tables) has been overwritten or destroyed, and needs to attempt to extract files from what remains. I saw Andy's presentation in Nashua, and I was impressed. His team had great success at the task, more than I would have thought possible. They used a variety of techniques, some of them fairly esoteric, but he still did a good job of making it understandable to someone with only a generalist background. If you're a gear-head like me, you'll definitely find the presentation interesting. -- Ben ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: The final solution
Paul Lussier [EMAIL PROTECTED] writes: And it should use XML. Any new standard these days has to use XML. I'm pretty sure it's in the US Constitution at this point. Ahhh! But is the Constitution in XML? No, but it wasn't Y2K compliant, either. Seeya, Paul -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory Member, MIT Student Information Processing Board (SIPB) URL: http://web.mit.edu/warlord/PP-ASEL-IA N1NWH [EMAIL PROTECTED]PGP key available ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: question: text substitution using Perl
Dear Kevin, Thanks a lot for your help. I have 3 derived questions from your script. Question 1: For the back references, you used ${1} for the 1st captured buffer, while some books/people simply use $1, I'm wondering if you use {} as an extra caution to make sure it refers to the 1st captured buffer in case there are some digits followed. Question 2: line 1 perl -i.bak \ line 2-pe 's/ \$(\d+)\. / \$ebcdic${1}. /g; line 3 s/ (\d+)\. / s370ff${1}. /g;' \ line 4your-directory-somewhere/*readme* On the end of line 1 and 3, you have a back slash. Is it for separating input to separated lines for better readability? If so, why is there no back slash on the end of line 2? Question 3: You used a period . after ${1}, wouldn't it be safe to use \. as the original string only ends with a period and we don't want to change it? I think . can match any single character except a newline. Thank you for your time. Zhao Kevin D. Clark wrote: Zhao Peng writes: substitution 1 The characteristic of original string: 1, always start with $ 2, then followed by an integer, could be more than 1 digit, such as 23 3, always end with a period . 4, there is always a blank before after original string For example: $2. The characteristic of target string: always has ebcdic inserted into the original string between $ and the integer For example: $ebcdic2. So the substitution will look like this $2. - $ebcdic2. $67. - $ebcdic67. Should the regular expression for original string be: \$\d+\. ? Looks pretty much right to me. I would make this replacement like this: s/ \$(\d+)\. / \$ebcdic${1}. /g; The ${1} in there is something called a backreference. The 'g' at the end of the line generally specifies do this as many times as possible on each line. substitution 2 The characteristic of original string: 1, always start with an integer, could be more than 1 digit, such as 23 2, then end with a period . 3, there is always a blank before after original string For example: 2. The characteristic of target string: always has s370ff added to the beginning of original string For example: s370ff2. So the substitution will look like this 2. - s370ff2. 14. - s370ff14. Should the regular expression for original string be: \d+\. ? I would make this replacement like this: s/ (\d+)\. / s370ff${1}. /g; My real situation is that I have a bunch of files at one directory, of which for the files whose name contained readme, I need to do 2 substitutions described above. One way to quickly do this might be like this: perl -i.bak \ -pe 's/ \$(\d+)\. / \$ebcdic${1}. /g; s/ (\d+)\. / s370ff${1}. /g;' \ your-directory-somewhere/*readme* This in itself makes a backup for you, but you might want to make your own backup files beforehand. Just another Perl hacker, --kevin ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: question: text substitution using Perl
Zhao Peng writes: Thanks a lot for your help. I have 3 derived questions from your script. No problem, glad to help. Question 1: For the back references, you used ${1} for the 1st captured buffer, while some books/people simply use $1, I'm wondering if you use {} as an extra caution to make sure it refers to the 1st captured buffer in case there are some digits followed. No, I wrote it this way just to make the code clear -- there wasn't a technical reason for this. Question 2: line 1 perl -i.bak \ line 2-pe 's/ \$(\d+)\. / \$ebcdic${1}. /g; line 3 s/ (\d+)\. / s370ff${1}. /g;' \ line 4your-directory-somewhere/*readme* On the end of line 1 and 3, you have a back slash. Is it for separating input to separated lines for better readability? If so, why is there no back slash on the end of line 2? There is no backslash on line 2 because the shell knows that it is reading a literal string and that the end of the string is marked by the trailing single-quote (') character. Just to be absolutely clear, this has nothing to do with Perl. This notation has everything to do with the shell. If you're using Linux, your shell might be something like bash or csh or zsh. To see what is going on here you might try typing echo hello there echo hello \ there echo 'hello\nthere' echo hello\nthere echo $PATH echo $PATH echo '$PATH' ...into your shell (especially the first two examples). Question 3: You used a period . after ${1}, wouldn't it be safe to use \. as the original string only ends with a period and we don't want to change it? I think . can match any single character except a newline. No...it wouldn't be safer to use \. instead of . in the replacement part of the expression because the notation of . only has the semantics of (generally) match any character except newline in the *match* part of the expression, *not* in the replacement part of the expression. Perhaps this example helps illustrate this? echo 2a | perl -pe 's/\d./hello./' That last . is interpreted fairly literally in this context. Regards, --kevin -- GnuPG ID: B280F24E Never could stand that dog. alumni.unh.edu!kdc -- Tom Waits ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: question: text substitution using Perl
Mike and Kevin, Thank you both for quick, detailed, and crystal clarification and explanation. Just one more question: To the shell, anything inside of single quotes is a single argument, so all of the spaces, newlines, etc. in there are passed without shell interpretation (quoted from the Mike's answer to my 2nd question). Can this claim also be extended for double quotes? Thanks, Zhao mike ledoux wrote: The backslash on line 3 is interpreted by the shell as a line continuation, so yes, it is just for increased readability by letting you break a long command line over multiple lines. It is not needed at the end of line 2 because the end of line 2 is inside of single quotes. To the shell, anything inside of single quotes is a single argument, so all of the spaces, newlines, etc. in there are passed without shell interpretation. ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: question: text substitution using Perl
Zhao Peng writes: Just one more question: To the shell, anything inside of single quotes is a single argument, so all of the spaces, newlines, etc. in there are passed without shell interpretation (quoted from the Mike's answer to my 2nd question). Can this claim also be extended for double quotes? Yes, but you need to understand that single quotes have different semantics than double quotes. These are all different: $FOO $FOO '$FOO' In double quotes variable interpolation is performed. You would do well to understand all of these scenerios: (look at how FOO is quoted at the end of each line) $ FOO=zero one two three four ### $ perl -le '$i=0; print \n\nNumber of command line arguments: , scalar(@ARGV); map { print argv[$i] = :, $ARGV[$i++], :; } @ARGV' FOO Number of command line arguments: 1 argv[0] = :FOO: $ perl -le '$i=0; print \n\nNumber of command line arguments: , scalar(@ARGV); map { print argv[$i] = :, $ARGV[$i++], :; } @ARGV' '$FOO' Number of command line arguments: 1 argv[0] = :$FOO: ### $ perl -le '$i=0; print \n\nNumber of command line arguments: , scalar(@ARGV); map { print argv[$i] = :, $ARGV[$i++], :; } @ARGV' $FOO Number of command line arguments: 5 argv[0] = :zero: argv[1] = :one: argv[2] = :two: argv[3] = :three: argv[4] = :four: ### $ perl -le '$i=0; print \n\nNumber of command line arguments: , scalar(@ARGV); map { print argv[$i] = :, $ARGV[$i++], :; } @ARGV' $FOO Number of command line arguments: 1 argv[0] = :zero one two three four: ### There's another kind of quote too: backquotes, `like these`. These are different than either single or double quotes too. Perhaps the best place you could learn all of the rules here is the bash man page. Regards, --kevin -- GnuPG ID: B280F24E Never could stand that dog. alumni.unh.edu!kdc -- Tom Waits ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
Re: question: text substitution using Perl
On Monday, Oct 23rd 2006 at 14:55 -0400, quoth Zhao Peng: =Mike and Kevin, = =Thank you both for quick, detailed, and crystal clarification and =explanation. = =Just one more question: = =To the shell, anything inside of single quotes is a single argument, so all =of the spaces, newlines, etc. in there are passed without shell =interpretation (quoted from the Mike's answer to my 2nd question). = =Can this claim also be extended for double quotes? = =Thanks, =Zhao = =mike ledoux wrote: = = The backslash on line 3 is interpreted by the shell as a line = continuation, so yes, it is just for increased readability by = letting you break a long command line over multiple lines. It is = not needed at the end of line 2 because the end of line 2 is inside = of single quotes. To the shell, anything inside of single quotes is = a single argument, so all of the spaces, newlines, etc. in there are = passed without shell interpretation. The difference between single quotes and double quotes is strictly whether variable interpolation occurs. foo=hello echo foo echo $foo echo '$foo' echo $foo is a 5 letter word Just for fun, this is a good example to help understand. echo $PATH ssh goofy echo $PATH ssh goofy 'echo $PATH' The first will tell you your path. The second will tel goofy to you your path and the third will tell goofy to tell you your path on goofy because what will be seen by goofy will be $PATH instead of the expansion of $PATH. -- A: Maybe because some people are too annoyed by top-posting. Q: Why do I not get an answer to my question(s)? A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? ___ gnhlug-discuss mailing list gnhlug-discuss@mail.gnhlug.org http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/