RE: DD -> Netcat NT Imaging

From: Ken Seitz (kenat_private)
Date: Sun Jun 16 2002 - 04:46:56 PDT

Next message: crazytrain.com: "RE: Imaging a "live" system"

Previous message: Kelly, Lee: "RE: Imaging a "live" system"
In reply to: Christopher L. T. Brown: "RE: DD -> Netcat NT Imaging"
Next in thread: Dragos Ruiu: "Re: DD -> Netcat NT Imaging"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

First, Biatchux is a great tool!  Thanks for bringing it to my
attention!

Now then, I've been attempting to image a Linux system using the method
being discussed, but I'm unable to mount the drive after the image is
copied..

Box booting on Biatchux: "
	fdisk /dev/had (nuke and create a partition)
	mke2fs /dev/hda3
	nc -l -p 4000 | dd of=/dev/hda3 bs=512
System to be copied:
	dd if=/dev/sda1 bs=512 | nc a.b.c.d 4000

I get an invalid superblock error when trying to mount /dev/hda3 on the
system receiving the image.  I've tried dd with and without the
'conv=swab' option.  Can you folks suggest something that I am
overlooking here?  Do my partitions have to be the same exact geometry?

Thanks in advance for the assistance.

Regards,
Ken Seitz
kenat_private

-----Original Message-----
From: Christopher L. T. Brown [mailto:clbrownat_private] 
Sent: Monday, June 03, 2002 10:28 AM
To: forensicsat_private
Subject: RE: DD -> Netcat NT Imaging


Matt,
You can also achieve the desired results with "Biatchux" (bootable CD)
available at http://biatchux.dmzs.com/. All you need do is:

1. Boot from the Biatchux CD.
2. Get a DHCP address or manually add one.
3. Connect to a network share (Linux/SMB) for image and log storage. 4.
Map all local drives "Read Only". always mount RO. This helps with your
discussion below as well as other issues regarding integrity. 
5. For now you'll need to open up another console and execute your dd
statement: 
    "dd if=/dev/hda of=/data/hda_image.eve"

Biatchux is still a work in progress, but it is very useful now and
offers a lot of promise. 


Christopher L. T. Brown
Technology Pathways LLC
Makers of ProDiscover DFT
clbrownat_private
Phone: 619-435-0906
http://www.TechPathways.com


> -----Original Message-----
> From: Estes, Matt CPR / FCBS [mailto:Matt.Estesat_private]

> 
> Dangers of dd (aka. Delete Drive)...
> It only takes one typo to ruin an entire drive with dd (like
> dd of=\\.\C:
> instead of dd if=\\.\C:).  I'm using two unused partitions 
> for testing.
> 
> Imaging a drive...
> Replacing "if=\\.\C:" with "if=\\.\PhysicalDrive0" on the
> windows side.
> Thanks for the info from Mr. Syring... and thanks for porting 
> this dd.exe.
> Replacing "of=/dev/hdb1" with "of=/dev/hdb".
> Again, dd is dangerous and now your entire drive is 
> vulnerable to a typo,
> and not just one unused partition.  I have NOT tested this.
> 



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: crazytrain.com: "RE: Imaging a "live" system"
Previous message: Kelly, Lee: "RE: Imaging a "live" system"
In reply to: Christopher L. T. Brown: "RE: DD -> Netcat NT Imaging"
Next in thread: Dragos Ruiu: "Re: DD -> Netcat NT Imaging"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Jun 16 2002 - 18:51:33 PDT