SANS Digital Forensics and Incident Response Blog: Author - David Hoelzer

First Response: Recovering a Dying Hard Drive

By David Hoelzer
Enclave Forensics

So there I was, happily working away, when Time Machine pops up and tells me, "Time Machine has not successfully completed a backup in 18 days." "That's strange," I thought, and proceeded to look into what could possibly be wrong.

I won't bore you with my deep satisfaction with Macs and Time Machine. That's not what this article is about. However, what I discovered was that Time Machine was failing to mount the sparse bundle in which the backup is stored. After poking at this for a couple of minutes I decided to simply reformat the Time Machine partition and be done with it.

After doing


How To: Build a Response CD

In both our compliance auditing and incident response/forensics practice we make heavy use of customized CDs full of analysis tools. Let's take a look at the process of building one step by step. For our example we're going to use Linux but this process really works for any UNIX based system you have.

Step One:

The first thing that you need to do is to create a directory that you'll use to hold all of your security tools while building your CD. Generally it's easier if you build a directory structure that's familiar, so we'll recommend that you first create a top level folder that will essentially be the root of the security tools CD that you create. For our purposes we'll call this directory "response".

Inside of the "response" folder you will want to create an organized directory