Forensics, recovery, undelete

Hi, I found this reference information. Good for people who wants to get rich knowlege about sysadmin.. (Part 5)

Part1 - Basics, important sites, HOWTO's, handbooks, hardening, tips
Part2 - Netfilter, firewall, Iptables, Ipchains, DoS, DDoS
Part3 - Intrusion detection, integrity checks: IDS, NIDS, HIDS, Antivirus, software
Part4 - Chroot, chrooting, jailing, comparimization
Part5 - Forensics, recovery, undelete
Part6 - Securing networked services

Part5 - Forensics, recovery, undelete

Forensics HOWTO's, docs
Steps for Recovering from a UNIX or NT System Compromise:
Open Web Application Security Project (OWASP):
Open Source Computer Forensics Manual:
OSSTM: Institute for Security and Open Methodologies (formerly
Forensics Basic Steps: or
Dd and netcat cloning disks:
Security Applications of Bootable Linux CD-ROMs:
Honeypot project (Hone your skills with the SOM):
RH8.0: Chapter 11. Incident Response (Red Hat Linux Security Guide):
Forensics and Incident Response Resources:
Forensics presentation by Weld Pond and Tan:
Law Enforcement and Forensics Links.:
Forensics commercial svc's:

Forensics CDR's
FIRE (formerly Biatchux +TCT):
The Penguin Sleuth Kit (Knoppix-based +TCT + Sleuthkit):

Forensics tools
OSSTM Tools listing:
The Coroners Toolkit (TCT): or
tomsrtbt (1 floppy distro):
Trinux, (Pentest/sniff/scan/recovery/IDS/forensics CD):
Snarl (Forensics CD based on FreeBSD):
Freeware Forensics Tools for Unix:
The @stake Sleuth Kit (TASK):
Tools used by CSIRTs to Collect Incident Data/Evidence, Investigate and Track Incidents (list):
Freeware Forensics Tools (reflist, Linux w32).:
TUCOFS - The Ultimate Collection of Forensic Software, :
Response kits (precompiled static binaries for Linux, Slowaris and wintendo):
Precompiled static binaries for Linux (iso):
Forensic Acquisition Utilities for w32:
CREED (Cisco Router Evidence Extraction Disk),:
...else check, Packetstorm,, whatever.

Undelete HOWTO's
Recovering a Lost Partition Table:
Linux Partition HOWTO:
How to recover lost partitions:
Linux Ext2fs Undeletion mini-HOWTO:
Linux Partition Rescue mini-HOWTO:
File Recovery.v.0.81 (using Midnight Commander):

Rescue tools for partition table/ext2fs
Recover (app + info):
Also see mc (the Midnight Commander)
TCT (above).

Rescue tools from dd image

Rescue tools for FAT/VFAT/FAT32 from Linux

Partition imaging
: http://www.partimage.orgPartimage.
* For more rescue tools check, or other depots for a /Linux/system/recovery/ dir.

II. Runefs: The first inode that can allocate block resources on a ext2 file system is in fact the bad blocks inode (inode 1) -- *not* the root inode (inode 2). Because of this mis-implementation of the ext2fs it is possible to store data on blocks allocated to the bad blocks inode and have it hidden from an analyst using TCT or TASK. To illustrate the severity of this attack the following examples demonstrate using the accompanying runefs toolkit to: create hidden storage space; copy data to and from this area, and show how this area remains secure from a forensic analyst.:

Original Source: