> 1. From Linux, I am unable to mount the NTFS partitions, so how do I > know which /dev/hda* is NTFS etc.. A quick way, if you're on a trusted system, is to "fdisk -l /dev/hda." > 2. If I make a guess and dd /dev/hda4 (which happens to NTFS), how to > mount later? As Linux does not recognise NTFS Many free utilities (such as @stake's TASK http://www.atstake.com/research/tools/task/, etc...) can mount and examine NTFS partitions. It's included in the F.I.R.E./Biatchux distribution (along with a ton of other useful utilities - http://biatchux.dmzs.com/?section=main.) > 3. Any suggestions how to dd NTFS when the system does not have Linux > installed, nor do you want to install Linux (or any UNIX for that > matter) http://users.erols.com/gmgarner/forensics/ has some excellent utilities for this including a modified dd for win32 and netcat (both include md5suming) for writing the image to a trusted system. (Ie: "dd.exe if=\\.\PhysicalDrive0 | 10.10.10.10 6969") This version of dd allows you to easily image the system's memory contents as well. Just remember not to use the cmd.exe on the compromised system for running these tools. Hth! -gary ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 18:54:15 PST