I know this thread is a little old, but I am starting to do some analysis on a live machine, I am using atstakes Auopspy to view the dd images I took of the hard drive using netcat and dd. One problem I issue I have is I get this error /usr/local/task/bin/fls: read block read error (8192@2148171776):Success which makes me think I that I am not closing the connection properly. How do people end the netcat session once the DD has reported all the data blocks that it has read? Also I see a lot of files that are in red which means that they are deleted but I all the files have a zero inode. Is it possible to recover deleted files from a solaris partition? Thanks Ian ----- Original Message ----- From: "Estes, Matt CPR / FCBS" <Matt.Estesat_private> To: <forensicsat_private> Sent: Friday, May 31, 2002 12:32 PM Subject: DD -> Netcat NT Imaging > Just wanted to know the forensics comments for doing the following. The > practical applications are amazing (and free), but maybe I'm just catching > up > with the norm. > > Run "nc -l -p 4000 | dd of=/dev/hdb1 bs=512 conv=swab" to setup a netcat > server piping to hdb1 partition on my linux box. > > Run "dd.exe if=\\.\C: bs=512 | nc.exe a.b.c.d 4000" on my Win 2000 box. > > swab option was necessary because somewhere along the way the bytes were > swapped (network ordering? compiler differences with nc.exe?). > > Instant bit copy of the partition across the network... and no annoying > overhead. I believe this would work as live imaging of harddrives for > analysis (comments appreciated). But, it's also a network drive imaging > system that fits on a floppy and works between OS's. > > Matt > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 12 2002 - 09:15:24 PDT