Some links of where to get the tools: dd.exe - http://www.weihenstephan.de/~syring/win32/UnxUtils.html netcat.exe - http://www.atstake.com/research/tools/#network_utilities Matt > -----Original Message----- > From: Estes, Matt CPR / FCBS > Sent: Friday, May 31, 2002 2:47 PM > To: 'Keith Tyler'; Estes, Matt CPR / FCBS; forensicsat_private > Subject: RE: DD -> Netcat NT Imaging > > > Yes. I imaged a couple gigs of data from Win2000 NTFS to my > linux box (on a second hard drive). I reviewed a couple of > samples from both drives using "dd if=\dev\hdb1 count=100 | > hexdump" . That's when I thought I noticed the byte swap.... > wait? MAYBE NOT?! > > It is likely the default "hexdump" output on linux was > swapping the bytes and the "conv=swab" argument is > unnecessary. I wrote a new format file to use with hexdump: > > "%07.7_Ax\n" > "%07.7_Ax " 16/1 "%02x " "\n" > > compared with the default that swapped bytes (takes in > two-byte chunks): > > "%07.7_Ax\n" > "%07.7_Ax " 8/2 "%04x " "\n" > > It seems to work great WITHOUT the "conv=swab" argument. > > Matt > > > -----Original Message----- > > From: Keith Tyler [mailto:ktylerat_private] > > Sent: Friday, May 31, 2002 2:00 PM > > To: 'Estes, Matt CPR / FCBS'; forensicsat_private > > Subject: RE: DD -> Netcat NT Imaging > > > > > > Have you tried this yet? > > > > -----Original Message----- > > From: Estes, Matt CPR / FCBS [mailto:Matt.Estesat_private] > > Sent: Friday, May 31, 2002 9:33 AM > > To: forensicsat_private > > Subject: DD -> Netcat NT Imaging > > > > > > Just wanted to know the forensics comments for doing the > > following. The > > practical applications are amazing (and free), but maybe I'm > > just catching > > up > > with the norm. > > > > Run "nc -l -p 4000 | dd of=/dev/hdb1 bs=512 conv=swab" to > > setup a netcat > > server piping to hdb1 partition on my linux box. > > > > Run "dd.exe if=\\.\C: bs=512 | nc.exe a.b.c.d 4000" on my Win > > 2000 box. > > > > swab option was necessary because somewhere along the way the > > bytes were > > swapped (network ordering? compiler differences with nc.exe?). > > > > Instant bit copy of the partition across the network... and > > no annoying > > overhead. I believe this would work as live imaging of > harddrives for > > analysis (comments appreciated). But, it's also a network > > drive imaging > > system that fits on a floppy and works between OS's. > > > > Matt > > > > ----------------------------------------------------------------- > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com > > > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jun 03 2002 - 04:34:06 PDT