At this point I have managed to get the old HDD mounted and working on my test server and I got all the data off. Now I need to reformat the drive to ensure nothing is left, and get just my data back on so I can use it for my dedicated internal server, and once again have access to my data. Here's how I went about doing so.

Step 1, run gparted to see what the partition is like, blow it away, and create a new one:

sudo gparted

Alright. So it first loads my actual HDD. Which is fine, but I have to make sure I edit the correct drive, which is very easy to do, there's a little drop-down list of all available HDDs, and there is only 1 other one. Select that, and away we go.

First I just delete all partitions. And then apply the changes. This wipes everything out, and creates a completely blank drive to start working with. Next is to create a partition, format it for use, and transfer the data back on to the HDD.

I frist tried creating a primary partition for the whole HDD. While the process completed just fine, I could not mount that partition. Then I thought about it... I set this to be the primary partition, and there is a primary partition already set up and in use on the computer I am using. Same with the new server I am building, it will already have a primary partition. So extended it is. I create the extended partition, format it as ext3, try the mount command, and BOOM!, mounted and ready to read/write.

So I copied over the data files I wanted to keep, and time to bring them home and ready that server for the new HDD.

As for the forensics files, I feel a need to keep them, try to document them and have them available for later retreival. Yet they need(?) to be otherwise rendered inert, so they cannot cause any harm (who knows what's there). So that is my next task. Right now, they are on a lab computer, and ready for analysis.But how to backup these files? I think that putting them on some random HDD in any place isn't the best long-term solution. Especially if I have no immediate plans to access them on a regular basis. The files in my lab will be the ones I access regularly, at least until I am finished with my analysis. But for safe-keeping, I think that DVD might be better suited for my needs. Problem is, as-is, that filesystem is larger than 6GB, and cannot be burnt to DVD.

Why did I think this would be easy? I must have been delusional, or just deluding myself...

Alright then, we'll compress the filesystem and burn that compressed file. As-is, the compressed files was STILL over 4.3GB. argh.

Ok, we'll delete some unneeded files. I know that this also carried the possibility that I will delete something of value, but this isn't like a really serious breach where millions of credit cards were stolen or something like that... No no no. In fact, I don't even have any concrete evidence that I didn't suffer from some kind of system failure. I only have my intuition, and that's what I have to work with.

So what to delete then? I ran the following command to help start determine what is taking up space:

du -sh *

cd into the larger directory, run the command again.

I did this process until I found the foloowing directory:


A whole TON of .deb files. Now I know that these are debian packages, and they all seem to be from my latest updates. I am reasonably sure that these .deb files can go. to be sure I got them all, I ran the following commands:

cd /forensics/var/cache/apt/archives/

find . -name "*.deb" -type f -delete

And there goes a bunch of old packages. While the raw filesystem is still over 6GB, I managed to compress it all to 2.6GB with the following command:

tar -czvf AnalyzeMe.tgz /forensics/

This file has been burned to DVD, and is ready for archiving. Now, on to actually starting the forensics.


Add comment

Security code