RE: DD -> Netcat NT Imaging

From: Estes, Matt CPR / FCBS (Matt.Estesat_private)
Date: Fri May 31 2002 - 11:46:50 PDT

Next message: Estes, Matt CPR / FCBS: "RE: DD -> Netcat NT Imaging"

Previous message: shawn merdinger: "Re: DD -> Netcat NT Imaging"
Maybe in reply to: Estes, Matt CPR / FCBS: "DD -> Netcat NT Imaging"
Next in thread: Estes, Matt CPR / FCBS: "RE: DD -> Netcat NT Imaging"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Yes.  I imaged a couple gigs of data from Win2000 NTFS to my linux box (on a
second hard drive).  I reviewed a couple of samples from both drives using
"dd if=\dev\hdb1 count=100 | hexdump" .  That's when I thought I noticed the
byte swap.... wait? MAYBE NOT?!

It is likely the default "hexdump" output on linux was swapping the bytes
and the "conv=swab" argument is unnecessary.  I wrote a new format file to
use with hexdump:

"%07.7_Ax\n"
"%07.7_Ax	" 16/1 "%02x " "\n"

compared with the default that swapped bytes (takes in two-byte chunks):

"%07.7_Ax\n"
"%07.7_Ax	" 8/2 "%04x " "\n"

It seems to work great WITHOUT the "conv=swab" argument.

Matt

> -----Original Message-----
> From: Keith Tyler [mailto:ktylerat_private]
> Sent: Friday, May 31, 2002 2:00 PM
> To: 'Estes, Matt CPR / FCBS'; forensicsat_private
> Subject: RE: DD -> Netcat NT Imaging
> 
> 
> Have you tried this yet?
> 
> -----Original Message-----
> From: Estes, Matt CPR / FCBS [mailto:Matt.Estesat_private]
> Sent: Friday, May 31, 2002 9:33 AM
> To: forensicsat_private
> Subject: DD -> Netcat NT Imaging
> 
> 
> Just wanted to know the forensics comments for doing the 
> following.  The
> practical applications are amazing (and free), but maybe I'm 
> just catching
> up
> with the norm.
> 
> Run "nc -l -p 4000 | dd of=/dev/hdb1 bs=512 conv=swab" to 
> setup a netcat
> server piping to hdb1 partition on my linux box.
> 
> Run "dd.exe if=\\.\C: bs=512 | nc.exe a.b.c.d 4000" on my Win 
> 2000 box.
> 
> swab option was necessary because somewhere along the way the 
> bytes were
> swapped (network ordering? compiler differences with nc.exe?).
> 
> Instant bit copy of the partition across the network... and 
> no annoying
> overhead.  I believe this would work as live imaging of harddrives for
> analysis (comments appreciated).  But, it's also a  network 
> drive imaging
> system that fits on a floppy and works between OS's.
> 
> Matt
> 
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Estes, Matt CPR / FCBS: "RE: DD -> Netcat NT Imaging"
Previous message: shawn merdinger: "Re: DD -> Netcat NT Imaging"
Maybe in reply to: Estes, Matt CPR / FCBS: "DD -> Netcat NT Imaging"
Next in thread: Estes, Matt CPR / FCBS: "RE: DD -> Netcat NT Imaging"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 03 2002 - 04:32:35 PDT