Re: DD -> Netcat NT Imaging

From: Ian Macdonald (secforensicsat_private)
Date: Thu Sep 12 2002 - 09:11:06 PDT

Next message: Brian Carrier: "Re: DD -> Netcat NT Imaging"

Previous message: Anthony Harris: "Identifying and dating MS operating systems?"
Next in thread: Brian Carrier: "Re: DD -> Netcat NT Imaging"
Reply: Brian Carrier: "Re: DD -> Netcat NT Imaging"
Reply: Seth Arnold: "Re: DD -> Netcat NT Imaging"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I know this thread is a little old, but I am starting to do some analysis on
a live machine, I am using atstakes Auopspy to view the dd images I took of
the hard drive using netcat and dd.

One problem I issue I have is I get this error /usr/local/task/bin/fls: read
block read error (8192@2148171776):Success
which makes me think I that I am not closing the connection properly. How do
people end the netcat session once the DD has reported all the data blocks
that it has read?

Also I see a lot of files that are in red which means that they are deleted
but I all the files have a zero inode. Is it possible to recover deleted
files from a solaris partition?

Thanks

Ian
----- Original Message -----
From: "Estes, Matt CPR / FCBS" <Matt.Estesat_private>
To: <forensicsat_private>
Sent: Friday, May 31, 2002 12:32 PM
Subject: DD -> Netcat NT Imaging


> Just wanted to know the forensics comments for doing the following.  The
> practical applications are amazing (and free), but maybe I'm just catching
> up
> with the norm.
>
> Run "nc -l -p 4000 | dd of=/dev/hdb1 bs=512 conv=swab" to setup a netcat
> server piping to hdb1 partition on my linux box.
>
> Run "dd.exe if=\\.\C: bs=512 | nc.exe a.b.c.d 4000" on my Win 2000 box.
>
> swab option was necessary because somewhere along the way the bytes were
> swapped (network ordering? compiler differences with nc.exe?).
>
> Instant bit copy of the partition across the network... and no annoying
> overhead.  I believe this would work as live imaging of harddrives for
> analysis (comments appreciated).  But, it's also a  network drive imaging
> system that fits on a floppy and works between OS's.
>
> Matt
>
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Brian Carrier: "Re: DD -> Netcat NT Imaging"
Previous message: Anthony Harris: "Identifying and dating MS operating systems?"
Next in thread: Brian Carrier: "Re: DD -> Netcat NT Imaging"
Reply: Brian Carrier: "Re: DD -> Netcat NT Imaging"
Reply: Seth Arnold: "Re: DD -> Netcat NT Imaging"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 12 2002 - 09:15:24 PDT