how to mount local hard disk from helix live cd?

At the command line, type dmesg and then scroll up about 1/2 to 2/3 of the way to where devices are detected. You should see your hard disk in there.

Generally under linux, HDDs are always /dev/hd* (ide devices) or /dev/sd* (SCSI and SATA devices). Therefore you could use grep to speed up looking at dmesg.

> dmesg |grep sd
or
> dmesg |grep hd

If you can't find your drive, re-check your cables.

The helix disks are usually quite old with respect to Linux kernel versions and may not have support for detecting your local HDD's.

The best way to check is to look in the /proc/partitions file
type the following in the command line to see all detected partitions by helix.

cat /proc/partitions

If it's empty then it doesn't detect any storage.

I would recommend GRML for more recent hardware support and real write blocking.
Helix doesn't do any write blocking on any of the block devices , it only mounts RO by default.
GRML sets all detected block devices (storage) to RO on bootup , so you need to set your destination HDD to RW before you can write to it.

But using GRML you need to watch out for the following
1. You need to select forensic mode when it boots every time.
( by default boots to RW mode)
2. it is a command line orientated distro so not so easy for those that are less acquainted with Linux.
3. if u want to use Linen then u need to supply a copy of linen on a USB flash drive as it's not on the cd.
Although it does have ewfacquire which will acquire to .E01's
EWFacquire is the fastest acquisition tool for acquiring .E01's , far faster than imager,linen or encase)

I knwo the command for mouting filesystem. When I view /dev, I only see hda. When I mount the hda, it turned out to be the CD.

Can anyone advise me why I didnt see sda ( my harddisk) or is my local hard disk known as other name?

Greetings,

hydrocloricacid, out of curiousity, are you somehow associated with the GRML project? (http//grml.org/team/)

-David

Nup.

Closest I have been, is asking them for certain features.
asking for nilfs2 support and guymager ( http//guymager.sourceforge.net )

Have been using it for 3 years.
It has it's advantages and disadvantages.

I really do like that it sets all block devices to RO.
You may of noticed my enthusiasm regarding that , I had just emailed the GRML team and they explained that it set all block devices to RO very early on in the initramfs part of the boot stage.
I had just done some research and found no other forensic Linux live CD did that.

I would really like for it to have an easy to use gui though , so I can browse the suspects HDD and have a quick look at files. but that's not it's purpose.
what it is desigend for it does very well. Is good for data recovery as well.
I mainly use it in cases where I can't use a hardware writeblocker. eg a large server with RAID.

Greetings,

hydrocloricacid, out of curiousity, are you somehow associated with the GRML project? (http//grml.org/team/)

-David

I really do like that it sets all block devices to RO.
You may of noticed my enthusiasm regarding that , I had just emailed the GRML team and they explained that it set all block devices to RO very early on in the initramfs part of the boot stage.
I had just done some research and found no other forensic Linux live CD did that.

You haven't researched enough.

I know that for example SPADA locks hard drives explicitly early in the boot process, so even if you tried to do /mount -w /dev/hda1 /mnt/hda1 you still couldn't write to the disk. I've verified this by using hdparm to check the RO status, by explicitly trying to write to the device and by testing against known drives.

You should avoid generalisations about what EVERY other tool does or doesn't do until you've personally verified every tool yourself.

You haven't researched enough.

I know that for example SPADA locks hard drives explicitly early in the boot process, so even if you tried to do /mount -w /dev/hda1 /mnt/hda1 you still couldn't write to the disk. I've verified this by using hdparm to check the RO status, by explicitly trying to write to the device and by testing against known drives.

You should avoid generalisations about what EVERY other tool does or doesn't do until you've personally verified every tool yourself.

SPADA ??? Where can people download SPADA from ?

I looked on http//distrowatch.com and did not find SPADA.
Googled and did not find SPADA.
(I googled for "spada forensic linux live cd download" and many other variations on this)

Are you trolling ?

http//spada-cd.info/

Your google-fu is weak, it's the first result for "SPADA forensic CD", and other variations.

Device recognition and device nomenclature is something to learn. View the kernel buffer ring via the 'dmesg' command. Instead of scrolling you can look for potential information of interest via

dmesg | grep -i 'hd[a-t]\|sd[a-z]'

You can also see which physical disks have been recognized via;

fdisk -l

Note that a disk may not show in the output of 'fdisk' or in the "/proc/partitions" if the device partitioning schema isn't supported by the Linux kernel, or if the Linux operating system environment has trouble with the physical device and/or file system(s).

Cheers!

farmerdude

www.onlineforensictraining.com

www.forensicbootcd.com