E-discovery- I have an old lap-top (running win 98), which I imaged using a linux bootdisk and dd to an external hard drive and need to capture specific files from the collection. I plugged it to my PC and am able to browse the copied files, but am afraid to access them or open subfolders to preserve the last accessed metadata. Is there software/dongle or anyway I can scoop out what I need without changing the metadata? (via win XP - my linux knowledge is limited) THANKS!
E-discovery- I have an old lap-top (running win 98), which I imaged using a linux bootdisk and dd to an external hard drive and need to capture specific files from the collection. I plugged it to my PC and am able to browse the copied files, but am afraid to access them or open subfolders to preserve the last accessed metadata. Is there software/dongle or anyway I can scoop out what I need without changing the metadata? (via win XP - my linux knowledge is limited) THANKS!
Why don't you robocopy to a new location so you have two copy's. Browse one and delete out what you don't need from the other. Easy way to preserve.
I really do not understand what you are trying to accomplish? If you copy the files with any OS you are going alter the times on the new copies. When the new files are created they will recieve new time stamps. The files themselves do not contain any time stamps – only the directory and filesystem structure contains these attributes. The files are just data blocks within a filesystem.
If your need is to preserve the file attributes and data for forensic purposes – burn the filesystem image to DVD or CDROM. Use dd again and create a file on your XP filesystem that is the entire "copied filesystem".
I really do not understand what you are trying to accomplish? If you copy the files with any OS you are going alter the times on the new copies. When the new files are created they will recieve new time stamps. The files themselves do not contain any time stamps – only the directory and filesystem structure contains these attributes. The files are just data blocks within a filesystem.
If your need is to preserve the file attributes and data for forensic purposes – burn the filesystem image to DVD or CDROM. Use dd again and create a file on your XP filesystem that is the entire "copied filesystem".
Robocopy preserves metadata. Test it out. http//
Hi,
I am also not sure what you are meaning to achieve from your post.
When you imaged the device originally was it done via any sort of write blocking device or did you set the Linux machine to mount the device as read only? If you took none of these steps there is a chance your Linux imaging machine wrote to the device when you imaged it and changed dates/times.
Once imaged you should be able to mount the image within Linux and see it as a file-system. Mounting the image read only means you can preview the data imaged from the device without altering anything, dates/times etc. If you then copied out a file then that file would become subject to alteration but the original would still be there untouched.
In terms of data the dates, times etc are contained within the file-system but some files do contain within them other meta data, such as MS Office files. Either could have been subject to change without a method of write blocking but certainly the file-system dates are more likely to change from previewing, copying, imagining without any write protection.
Sorry if this is teaching you to suck eggs (UK saying) but it wasn't clear from the posts so far what was trying to be achieved and what had been done so far.
Steve
E-discovery- I have an old lap-top (running win 98), which I imaged using a linux bootdisk and dd to an external hard drive and need to capture specific files from the collection. I plugged it to my PC and am able to browse the copied files, but am afraid to access them or open subfolders to preserve the last accessed metadata. Is there software/dongle or anyway I can scoop out what I need without changing the metadata? (via win XP - my linux knowledge is limited) THANKS!
Since this is eDiscovery what you collect is going to be dictated by the demands of the counsel behind the process. They're the ones who are potentially going to have to defend the scope and manner of the collection so make sure that whatever you do is signed off by the legal people.
I just recently have been doing eDiscovery collections but most of them are from remote locations but you can use RoboCopy just make sure you preserve the files. Until I can get my hands on EnCase Enterprise I RoboCopy files to a clean drive then image the drive. Then I maintain the preserved copy and usually deliver the files to counsel by CD or generate a report that includes all metadata for each file with the file attached.
Either way you should be working closely with the legal counsel in eDiscovery collections.