Shameless plug warning: As described in Chapter 11 of Computer Forensics: Incident Response Essentials, we used dd and netcat to copy an image of one of the filesystems over our lab LAN to our analysis machine. unrm operates on an entire filesystems, so it wasn't necessary to use mount-we just ran unrm against the filesystem image, making sure that we redirected the output to a filesystem with enough room. Then we started lazarus -h and left for lunch. -wk -----Original Message----- From: Estes, Matt CPR / FCBS [mailto:Matt.Estesat_private] Sent: Friday, May 31, 2002 12:33 PM To: forensicsat_private Subject: DD -> Netcat NT Imaging Just wanted to know the forensics comments for doing the following. The practical applications are amazing (and free), but maybe I'm just catching up with the norm. Run "nc -l -p 4000 | dd of=/dev/hdb1 bs=512 conv=swab" to setup a netcat server piping to hdb1 partition on my linux box. Run "dd.exe if=\\.\C: bs=512 | nc.exe a.b.c.d 4000" on my Win 2000 box. swab option was necessary because somewhere along the way the bytes were swapped (network ordering? compiler differences with nc.exe?). Instant bit copy of the partition across the network... and no annoying overhead. I believe this would work as live imaging of harddrives for analysis (comments appreciated). But, it's also a network drive imaging system that fits on a floppy and works between OS's. Matt ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jun 11 2002 - 10:53:47 PDT