Displaying 11 - 20 of 28 entries.

Deduplicating: EWF vs Raw

  • Posted on August 4, 2015 at 14:24

Is ‘good old’ Expert Witness Format still the preferred choice?

In the recent years huge centralized storage has become pretty much a standard everywhere. And pretty much everywhere EWF has become standard for forensics imaging.
I wonder if this is still the most optimal combination from the perspective of storage-efficiency.

How does deduplicating perform on ewf-images compared to raw? In fact, my assumption is: The more raw images saved to a deduplicating volume, the more efficient duplicating will do its job.


Let’s bring them to the test!

After booting up with a Windows 7 machine, I imaged the boot disk using EnCase 6. (run 1)
Immediately after, I initiated a second acquisition using the same EnCase session (run 2)
All settings for acquisition are kept to default, using ‘Good compression’ and a split size of 640MB.

FTK Imager
After EnCase finished both acquisition sessions successfully, I started two acquisition sessions with FTK Imager using the same approach: Start one, When it runs, start session number two.

Changing WordPress Header-text

  • Posted on September 3, 2014 at 18:38

Status change

Up until about a year ago I thought of myself as an IT-guy lacking ambition. You may have read about it.
But things can change! People can change. Your status can change…

But what if you have your status listed as an under-title in your WordPress-blog?
You would update, you say?
Yes, but how in the world can you do that in WordPress?



To cut a long story short; I didn’t really find an easy way on changing the layout of what WorPress calls the Header-text. Of course, changing the text is not a problem. But specifically changing the layout or making it an hyperlink. That’s where it gets troubling.

Finding the header-text in the database was doable:

MySQL Query: Header text

Updating using SQL was also a peace of cake. But inserting HTML-code appeared to be ‘impossible’.
WordPress, or Apache, or PHP, whoever you want to blame, just renders the HTML to unformatted text. And that is not cool!



I just edited the header.php file, and added raw HTML.
File: [apacheroot]/wordpress/wp-content/themes/purple-pastels/header.php

VIM Screenshot of header.php

This is particularly a solution that I am not proud of. But I am proud of the result!

Just have to keep in mind that an update of the theme my so beloved updated header-text will be gone.
Therefor I documented all this.

GRUB: Change Splash-screen

  • Posted on July 26, 2014 at 02:37


  • Make sure you make it with GIMP Creating with Photoshop and saving (in different formats) never worked for me. Even opening the Photoshop-image with GIMP and saving it afterwards was not good enough for GRUB.
  • You can place the image everywhere. If you want to place it with the original grub-splashes, this is a good place: /usr/share/images/desktop-base.
  •  Then edit /etc/default/grub. Add the line:
  • Update GRUB
# update-grub2



  •  Create a file called /boot/grub/custom.cfg and add the lines:
set color_normal=light-black/black
set color_highlight=white/black



Maybe you would like to change the menu entries:
Edit /etc/grub.d/10_linux
(You can find them starting with title=. I added LISA for this example)

linux_entry ()
  if ${recovery} ; then
    title="$(gettext_quoted "LISA %s, with Linux %s (recovery mode)")"
    title="$(gettext_quoted "LISA %s, with Linux %s")"


And then when you reboot things may look like this:
(If you’re lucky)






Start Debian in text-mode

  • Posted on January 6, 2014 at 21:56

Edit /etc/default/grub file, locate the following line:


and change it to:


and don’t forget to run ‘update-grub’ afterwards to update.

(thanks to Eu2200 on debainadmin.com)

Clone Debian over SSH using Rsync

  • Posted on January 5, 2014 at 03:11

A simple walk-through

On the target machine:

  • Net-install the same Debian-distro with Graphical User-Environment and SSH-Server
  • Boot that the new installed Debian OS
  • Install some tools:
    # apt-get install rsync parted htop xfsprogs
  • If you feel like it: Make a separate /home – partition, mount it, and add it to you /etc/fstab
  • Secure your fstab:
    # cp /etc/fstab /boot/_etc_fstab
  • Start the SSH-Server:
    # /etc/init.d/ssh start
  • Get the target IP:
    # ifconfig -a eth0


On the original machine:

  • Go cloning:
    # rsync -aAXv --delete --progress --exclude={/boot/*,/dev/*,/mnt/*,/proc/*,/sys/*,/tmp/*,/run/*,/media/*,/lost+found} --rsh='ssh -p22' /* root@ip-target-machine:/


Go back to your target machine and copy back your fstab and reboot:

  • Restore your fstab:
    # cp -f /boot/_etc_fstab /etc/fstab
  • Reboot:
    # shutdown -r now

Have fun with your fresh Debian install!
Well fresh… “Your already configured Debian install”.

Don’t forget to re-install your VMware-Tools! Your GRUB may needs updating for some extra kernel-parameters.


ZFS: Deduplicating is not a myth!

  • Posted on February 9, 2013 at 20:44

Long time no see!

After having it put away for, I guess almost 2 years, I took a look at ZFS again.
In ‘the early days’ ZFS only had a Linux-implementation using FUSE. An implementation which I liked from a Nerdish point-of-view, but not so much as a serious replacement for XFS on my operational Linux machines.

Since SSD is commonly available now, and all my operational servers have at least 16 cores, it was time to reevaluate the possibilities of ZFS on Linux again.

I was not disappointed! My oh my…


The ZFSonLinux Gentoo 64bit Walk-through:
(Using VMware Fusion 5)

  • Create a Gentoo Linux 64bit VM, add 4GB RAM at least, and the disks:
  • 1 Boot disk, 80GB
  • 4 Data disks, each 2TB. Single file, Do not Preallocate diskspace! Important!
  • 1 Cache disk, 20GB. Preallocating is advised. Not necessary.
  • Install Gentoo
  • Install sys-fs/zfs sys-fs/zfs-kmod
  • add ‘modules_3_6=”zfs”‘ to /etc/conf.d/modules
  • insmod /lib64/modules/3.6.11-gentoo/addon/zfs/zfs/zfs.ko
  • zpool create deduptestvol raidz -f /dev/sdf /dev/sdg /dev/sdh /dev/sdi
  • zpool add -f deduptestvol cache /dev/sdj
  • zfs set atime=off deduptestvol
  • zfs set dedup=on deduptestvol

The ZFS-volume, named deduptestvol, should be up and running right now. Typically it is mounted automatically under /.
Let’s check:


Testing the dedup-capabilities

  • I made one volume, with the same size, also RAIDZ
  • Created one file of exactly 1000MegaBytes
    (# dd if=/dev/random of=/data bs=100M count=10)
  • Copied that file over for 32 times
  • Then I copied that whole directory to the volume with deduplicating switched on.
  • On my host machine, I took a look a the disk space consuming.

Some proofs

Some recursive MD5’s over both volumes:



For saving 32Gigabyte of data in traditional RAID5:

The ‘normal’ ZFS-Volume consumed 44G of virtual disk-space.
The Deduplicated ZFS-Volume consumed 3.6G of virtual disk-space.

“ZFS is the shit!”

John Doe?

  • Posted on January 24, 2012 at 10:50

Although I didn’t want to contribute to the contest, this step was to easy not to take:

Found a JPEG-Header, did some copy-pasting et voila!

Good this be our guy?

PostgreSQL, Perl and Ubuntu

  • Posted on December 25, 2011 at 22:59

Make it work

# apt-get install postgresql postgresql-contrib
# apt-get install libpq-dev
cpan> install DBD::Pg
$ sudo su postgres -c psql template1 template1=# ALTER USER postgres WITH PASSWORD 'password'; template1=# \q
$ sudo passwd -d postgres
$ sudo su postgres -c passwd
$ sudo su postgres -c psql < /usr/share/postgresql/8.4/contrib/adminpack.sql

From iPhone to Galaxy: MP3

  • Posted on December 25, 2011 at 19:39

Since I am pretty damn disappointed in my iPhone (thanks to Apple, who took my freedom), I decided, although it hurt, to put aside this infernal machine and switch to a Samsung Galaxy ACE. Imagine how desperate I was!

But first I had to copy over my stuff! Let’s start with the music…
It’s really easy, just follow this the next thousand steps!


  • Install Apple Developer Tools
  • Install MacPorts (http://www.macports.org)
  • Install sshfs
    ($ sudo port -v install sshfs)
  • Jailbrake your iPhone (http://www.youtube.com/watch?v=04zUl-zZnXk)
  • mount your iPhone using sshfs, asuming your iPhone has IP:
    ($ mkdir /Volumes/iPhone; sudo sshfs root@ /Volumes/iPhone)
  • Create a temporary directory for your Music
    (mkdir ~/Desktop/mp3s)
  • Copy your precious music
    (cp -v `find /Volumes/iPhone/private/var/mobile/Media/iTunes_Control/Music -iname \*\.mp3` ~/Desktop/mp3s/.
  • Install WinAmp for OS X (download here)
  • Connect your Galaxy ACE to your Mac using USB
  • Make the MicroSD-card available for writing on your ACE
    (if everything goes well, your WinAmp will see the SD-card as a storage-medium)
  • Import your Music (from ~/Desktop/mps3s) in WinAmp
  • Select all the Music, right click and select “Send selection to Devices:ACE”
    (or whatever you called your microSD-card)

And that’s all! 🙂




Knowing your dynamic IP-address

  • Posted on July 25, 2011 at 18:53

The troubling situation
Being a nerd, there is nothing more frustrating than having a dynamic IP-address.
Being a nerd and doing some hosting locally actually makes it even wors!

There’s not much use to running services like Apache or Sendmail with an IP-address that changes at random times.
Random in this particular case means: “When we of Ziggo want it to!”.

Alert by email
So what you basically want is to be alerted whenever you IP has changed.
I wrote some perl-code that does exactly that! And as a bonus, it does some handy logging.
The script can be initiated from command-line, but the best way is making a cronjob of course.

Realworld example
I created two new e-mailadresses; newipkrusjme@gmail.com and newipkrusjme@hotmail.com. Both addresses are now configured on my iPhone to receive all mail automatically,
In the cron, I set it to run as an hourly-job,
And then I did “the Dutch approach“…

Thanks to Vim it was quite easy to make the sourcecode readable using :TOhtml.
If you love to see the amazing Vim-output or you’re actually seriously interested: You can find the sourcecode here: http://www.krusj.nl/files/newip-2.0.pl.html
Download directly: http://www.krusj.nl/files/newip-2.0.pl


  • download the script, (for example to /usr/local/bin)
  • change the email-addresses to your preferred ones,
  • change the interface-card, (eth1, eth0 or whatever)
  • mkdir /var/log/newip /var/newip,
  • chmod 755 /usr/local/bin/newip-2.0.pl,

Testing / Forcing
If you want to test it, just run the script from command-line using:
# /usr/local/bin/newip-2.0 --force-mail