What you're asking for is trivially available on all Linux systems. Through the "/dev" filesystem, the kernel makes many hardware devices available to ordinary programs. For example, if you had mounted your target disk as the secondary master hard drive, you could create an image of the disk by doing:
cp /dev/hdc ~/disk-image
Or search a floppy disk for intelligible-looking strings:
strings /dev/fd0 | less
Note: speaking from experience, it's *very* important to pipe the
results to less - you wouldn't believe how many false-positives you get
in 1.44MB of data :)
You could also make an image of a single partition and mount the image:
fdisk -l /dev/hdb
(to examine the partition table)
cat /dev/hdb1 > ~/disk-image
mount -o ro,loop ~/disk-image /mnt/misc
It is traditional to use "dd" for direct hardware access because it
supports even very complex operations - e.g. to look for text between the
27th and 33rd megabyte from the fourth partition of a SCSI disk, logging
your output to "logfile", do:
dd if=/dev/sda4 bs=1M skip=27 count=6 | strings | tee logfile | less
It's a common trick to backup a system by pointing tar straight at a
device:
tar jcvvf /dev/tape /home/*
The program "file" (yes, it is a confusing name) can be used to diagnose
many common file formats, though you have to trick it into looking
beyond the fact that it's looking at a device instead of a normal file:
cat /dev/cdrom | file
If you intend to examine ext2 filesystems which have had files recently
deleted, you should look at 'debugfs', and the various
undeletion-related HOWTOs available from the LDP.
Of course, the other side of the forensic coin is also well represented
under Linux. To destroy a file with little or no trace, do:
shred <filename>
The "/dev" filesystem is an example of the general Unix philosophy that
"everything is either a file or a process". This simple, universal rule
makes it possible to use the full range of standard Unix tools
everywhere - for example, I can use "cat" record sound from my
microphone and (using inetd) I can create a message-of-the-day server
with "echo" :-)
This simplicity even extends to the source-code level. If you do choose
to write your own tools, you need only open a device like any other
file. The only thing you need to know is that some devices are
"character special files", which means that they can't be randomly
accessed (e.g. it makes no sense to seek to the 5th byte in /dev/mouse).
Good luck!
- Andrew Sayers
pgpxkDdK5Y9Mn.pgp
Description: PGP signature
