Forensics: Filesystem Mount

To see the list of devices detected  by linux, type

ls /dev

Usually, hard disk partitions are labeled sda, sda1, hda, etc

To mount these partitions, first make a path where these partitions are to be accessed.

Eg mkdir  /mnt/mywindrive or sudo mkdir /mnt/mywindrive

Then, associate the device with the mount location.

sudo mount -o ro -t auto /dev/sda1 /mnt/mywindrive

*Taken from Unix and Linux Forensic Analysis DVD Toolkit 

DD to image a drive

Challenge Procedure Step-by-Step
The following steps show you how to use dd and MD5 to create, restore, and verify forensically sound disk images:

First, we start by creating an MD5 checksum of a disk. To do this, first log in as root, and open a command prompt. Create the MD5 checksom for the disk to be duplicated using the following:

md5sum /dev/fd0 > /tmp/original-md5
This command creates the MD5 checksum of the device, /dev/fd0, and outputs the result to a file named /tmp/ original-md5.

View the checksum with cat /tmp/original-md5.

Now, create an image file of the disk.

Use dd to create a binary copy of the disk:
*Remember to unmount the disk before using dd.

in OS X, use diskutil unmountDisk /dev/disk1

dd if=/dev/fd0 of=/tmp/disk.img bs=1k
The if=/dev/fd0 parameter directs dd to use the device /dev/fd0 as the input file. The of=/tmp/disk.img parameter tells dd to output the data to a file named /tmp/disk.img. The bs=1k tells dd to use a block size of 1024 or 1KB.

Next, we'll use MD5 to verify the accuracy of the image file. First, create the MD5 checksum for the image file with the following:

md5sum /tmp/disk.img > /tmp/image-md5
Compare the checksums of the original disk and the image file using the following:

cat /tmp/*md5
The cat command displays the contents of files that end with md5. Note that the checksums are identical.

Next, you'll restore the image file to a blank disk.

Use dd to copy the image file to the disk:


dd if=/tmp/disk.img of=/dev/fd0 bs= 1k
This command reverses the flow of the data, whereas the command in step 2 created the image file.

Create the checksum for the duplicate disk:


md5sum /dev/fd0 > /tmp/duplicate-md5
Now, use cat to verify the accuracy of the duplicate disk by comparing the checksums of all three versions:


cat /tmp/*md5
Test MD5 against an altered image file. Do this by first adding a single byte of data to the image file:


echo x >> /tmp/disk.img
Then, create a new checksum for the image file:


md5sum /tmp/disk.img > /tmp/corrupt-md5
Finally, compare the checksums for each step of this exercise:


cat /tmp/*md5
Note how a difference of only 1 byte causes the MD5 to change drastically. This demonstrates the value of using and checking the MD5 signatures of files when downloading them from the Internet.

*Taken from http://www.informit.com/articles/article.aspx?p=27203&seqNum=3

Computer Privacy Annoyances (Dan Tynan)

Essential Privacy Practices

1) Be stingy with data. Give out only essential data. 

2) Check credit card report to ensure that no one is using your personal information to apply for credit cards

3) Minimum information on cheques. Writing home address, phone numbers, driver's license on cheques is exposing too much private information to the cheque recipient

4) Rent a private mailbox to protect your home address and safe keep confidential letters from mail looters

5) Delist from phonebook and online directories/yellow pages

6) Opt out early and often

7) Avoid surveys. You may have a one-in-a-million shot at winning but you've definitely lost your privacy

8) Don't expect others to defend your rights for you 

Cell phone Candid Camera

Covert cameras are banned in locker rooms, bedrooms where the subject has "reasonable expectation of privacy". However, if someone captures you during a wardrobe malfunction at the Super Bowl, you're out of luck.

Moblog Rules

If a picture of you appears on blogs (and you don't want it there), you can contact the service provider to have the picture removed. If the picture appears on a private server, you can contact the ISP to lodge the complaint.

*You might need to surrender some private information such as your identity and why you feel the picture invades your privacy. 

Remain anonymous online

Check out www.bugmenot.com to find logins for various websites that requires registration to access.

Peer to peer sharing

Since it is hard for you to identify the person whom you're exchanging files with in a P2P system, be aware that the RIAA might just plant a few seeders and log the transaction between your machine and theirs. From there, they can request the ISP to reveal the identity of the people who were involved in the download/file exchange.

It is not compulsory for employers to inform employees that they are being monitored. The employer also have rights to search the bags of employees who are accused of theft.

*Taken from Computer Privacy Annoyances (Dan Tynan)