Recovering forensic data from a failed boot

[jdow]

On 2012/01/30 13:21, Joe Zeff wrote:
> On 01/08/2012 11:28 AM, Kernel Guardian wrote:
>> Maybe could help to boot into runlevel 3, and turn on debug on in
>> systemd. Or try to boot into single user.
>
> I've had too many other things going on to deal with this for quite some time.
> However, I did learn via fedoraforums that there are several backups of boot.log
> in /var/log, as well as at least one of dmesg. I've got time to play, a little,
> now, and will report if I find anything interesting/relevant.

First one must take a dd level record of the infected disk(s).

Then one can mount those disks read only and paw through them for forensic
data. Otherwise forensic data may get lost, particularly from log files, as
logs rotate.

If you only have one disk make a backup of /var/log/messages to another
directory immediately. Then treat that backup as read only.

{o.o}