The number 1 rule in Forensics is... Anyone know?
Ya I didn't think you did. Make a statically compiled toolkit . Then when you run your ls and check for mac times, you know right off the bat it telling the truth. Altho the rootkit may give you back false postives :S .
How does this work? it's because your not invoking commands off of the host system and just off of the cd.
I want to mount it like mount -ro /img.img /mnt/disk. Didn't give me the option.
The stuff that normally screws me up is the sytax, that was the whole reason for asking for help. And the first 2 years of this course we examinged pwdump and things like that so we know what is going on exactly with the automated suites.The reason I know there is a rootkit on the image is:
Logs have been deleted or marked for deletion,
while doing mac times noticed the ./ which means hidden directories,
also noticed the suspect installed stuff in the /usr directory and has since deleted it.
I did figure out why that image I was trying to check wasn't workin in Penguin Sleuthkit live cd. Which is what I was using.
I also called the teacher over while trying to mount it. He said try it via source. So that' what I'm goign to try next.
Encase is sweet , but it crashes must have been by the devils workshop. :S Exams are coming up...