[Full-disclosure] Forensic help?
Paul Schmehl
pauls at utdallas.edu
Mon Sep 12 16:08:52 BST 2005
--On Monday, September 12, 2005 10:11:24 -0400 Red Leg <redleg18 at gmail.com>
wrote:
>
> Does dcfldd allow me to mirror the disk in such a manner as to include
> deleted files? I can not swap drives. I need to obtain an image with
> which I can "undelete" files that were conventionally erased.
>
> Will dcfldd provide such an image?
>
Yes. dcfldd is a bit for bit copy of the drive. All bits, including
deleted files, etc., are included.
Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
Full-Disclosure is hosted and sponsored by Secunia.