Live linux folder c...
 
Notifications
Clear all

Live linux folder capture

16 Posts
8 Users
0 Likes
1,734 Views
(@angryit)
Posts: 3
New Member
Topic starter
 

Hi All,

I am interested in what everyone else uses to capture directories in a linux environment.

I have a Ubuntu fileserver that I will need to capture a number of folders from. I can't image the whole disk as there is too much sensative/restricted information in other places. It needs to be done live as it can't be turned off. I will be supervised by 3 different representatives |

I need to obtain a hash also.

As yet all i know is that I will have root access and access to a command terminal.

All I have at the moment is a manual copy and hash, and export the session history.

Regards

Angry

 
Posted : 17/10/2012 12:35 pm
harryparsonage
(@harryparsonage)
Posts: 184
Estimable Member
 

I have never used it but there is a free command line version of FTK Imager for Linux that may do what you want.

H

 
Posted : 17/10/2012 1:19 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

If I understand you, you will be watched very carefully while making the copy.

I suggest that you just use native Linux and copy the files to a clean external drive. Everyone watching you will know what is being done and be certain that you have not copied anything else. If you use a third party tool, not everyone will know what you are doing, or what the tool does.

You then want to hash the files on your etxernal drive. Hashing at this point will not detect any corruption while copying, but will give reference values to detect any changes after this point in time.

 
Posted : 17/10/2012 1:37 pm
(@angryit)
Posts: 3
New Member
Topic starter
 

harryparsonage

Thanks Harry. I had a look at the FTKImager command line and it appears to have the same limitations as DD and will only image block devices.

mscotgrove,

That is my best solution at the moment also.

 
Posted : 17/10/2012 2:05 pm
manuld
(@manuld)
Posts: 15
Active Member
 

I have not tried this, but it may be worth a look

http//ubuntuforums.org/showthread.php?t=1245582

 
Posted : 17/10/2012 2:34 pm
binarybod
(@binarybod)
Posts: 272
Reputable Member
 

If you know what you are looking for thenfind is a useful tool especially when used with the -exec cp {} option

Paul

 
Posted : 17/10/2012 7:14 pm
(@sgware)
Posts: 42
Eminent Member
 

You could image the drive and hash the image using dd. Then copy the image, verify it, and use the FTK Imager on a Windows system to open the image and export/hash the directories/files you are looking for. All with the supervision of "the three".

Afterwards, you could use dd or WinHex to wipe the image to ensure the sensitive information is not persistent.

Scott

 
Posted : 18/10/2012 1:20 am
(@mscotgrove)
Posts: 938
Prominent Member
 

You could image the drive and hash the image using dd. Then copy the image, verify it, and use the FTK Imager on a Windows system to open the image and export/hash the directories/files you are looking for. All with the supervision of "the three".

Afterwards, you could use dd or WinHex to wipe the image to ensure the sensitive information is not persistent.

Scott

If I was watching I would not allow this.

You are taking an image of everything.

The watchers then need to know that the unrequired data has been deleted in a way that can not be recovered.

If I was a watcher I would not want anything restricted read from my hard drive, yet alone copied and stored elsewhere (even for a short period of time).

 
Posted : 18/10/2012 2:52 am
(@sgware)
Posts: 42
Eminent Member
 

You could image the drive and hash the image using dd. Then copy the image, verify it, and use the FTK Imager on a Windows system to open the image and export/hash the directories/files you are looking for. All with the supervision of "the three".

Afterwards, you could use dd or WinHex to wipe the image to ensure the sensitive information is not persistent.

Scott

If I was watching I would not allow this.

You are taking an image of everything.

The watchers then need to know that the unrequired data has been deleted in a way that can not be recovered.

If I was a watcher I would not want anything restricted read from my hard drive, yet alone copied and stored elsewhere (even for a short period of time).

If the watchers are watching him use WinHex to wipe the image, byte by byte, the concern becomes minimal. They are after all, watching everything. Which to me, is a little strange, but, who am I.

 
Posted : 18/10/2012 3:12 am
(@buster)
Posts: 28
Eminent Member
 

With a heavy caveat that you do your own testing and use at your own risk, you could achieve this with a very simple python script


import os
import shutil

srcfile = raw_input("Set source path...\n")
dstfile = raw_input("Set destination path...\n")

shutil.copytree(srcfile, dstfile)

shutil.copytree preserves most if not all metadata (utilising copystat() I believe). You could hash the folder contents using md5deep or similar prior to running the script, then again on the created destination folder to check that they match.

It is important that the destination directory is not created prior to running the script, as it is created on the fly when the script is run. Otherwise the script will error out.

I've done a little testing on both Ubuntu (12.04 LTS Desktop) and Win 7 and obtained matching hashes on both systems. I didn't thoroughly check the metadata associated with each file though as I didn't have time, and I haven't checked the impact on the metadata of running a recursive hash tool such as md5deep across the directory.

So, back to the caveat at the top of this post. Test it thoroughly yourself and use at your own risk!

Hope it helps.

Stu

 
Posted : 19/10/2012 10:53 pm
Page 1 / 2
Share: