Now that I have finally managed to get my old HDD mounted, it is time to actually start getting my data off, keeping what I want for analysis, formatting the drive, and getting just my data back on.

What's worth keeping? What isn't needed? I tried looking into a few things, but there was very little to really go on. So how do I gather the files I need for analysis, while being able to otherwise keep my data, and reformat the drive?

My first thought with this forensic analysis is that it had something to do with GRUB. I mean, GRUB is the boot loader, and is resposible for booting the OS. So if anything was helping cause the boot problems I came across in my earlier post here, it'd have to be GRUB... Or at least something to do with GRUB. So I ran the following command to grab all the GRUB files:

find /home -iname '*grub*' -exec mv '{}' /forensics/ \;

So now I've got all the GRUB files. Awesome. So what else do I need?

THEN it occurs to me that I can just copy over the entire filesystem, and not worry about files until I really start to tackle this. So that is what I did. I also copied over all my data to another folder. Now I wated to compress it all to maybe fit it on a DVD or something so I can archive this or something, and get it off my PC. Using the Archive Manager provided with CrucnchBang, I tried to create an archive file, but I kept getting an error:

An error occurred while adding files to the archive.
Permission denied

Ugh... While I understand most of the basics of Linux file permissions, I haven't studied it to any degree, so I'm not really sure what to do about that... So I tried the following commands to change the file permissions and ownerships:

chmod 656 -R /forensics/

chown -R user:user /forensics/

Trying again, and same error. I so hate Linux permissions... Maybe I should study up a bit more in these regards. Until then though, I am stuck with my existing knowledge. I wound up changing to the root user and manually creating an archive from the CLI:

sudo su -


tar -cxvf analyzeme.tgz ./forensics/

And there's my archive file. And I can take all the time I want to go through this with as fine-toothed comb as I want. Next, I format my drive and get the data back on for my new internal server...


Add comment

Security code