RE: Using dd.exe to make forensic images of NTFS drives

From: Sakaba (Sakabaat_private)
Date: Tue Aug 12 2003 - 03:14:59 PDT

  • Next message: Christopher Brown: "RE: Using dd.exe to make forensic images of NTFS drives"

    Thanks Jeff,
    
    I think the best solutions for investigating without downing the system
    that I've heard so far are:
    
    1] Mirror disks if you  have them  - Just pull out and put in another
    machine to examine
    2] Encase - expensive but can do the job
    3] Win32 binaries of Sleuthkit - don't have to down the system but need to
    copy over files which is annoying
    
    It would be nice to be able to reboot into linux but the fact servers exist
    to perform a buisness function and unless I can prove from the volatile
    data that the machine is definitely comprimised there is no way in hell
    that anyone would let me down them.  Its where buisness reality and
    forensic best practices unfortunately have to clash.
    
    Thanks everyone for all your comments,
    sakaba
    
    -----Original Message-----
    From: Reava, Jeffrey [IT/0200] [mailto:jeffrey.reavaat_private]
    Sent: Tuesday, August 12, 2003 5:49 AM
    To: 'Sakaba'; forensicsat_private
    Subject: RE: Using dd.exe to make forensic images of NTFS drives
    
    
    
    Sending an image out using dd and netcat may effectively make the system
    unusable from a production standpoint while the image is being transferred,
    and the malware will be running the whole time you're imaging and
    analyzing.
    
    Win32 binaries of Sleuthkit utilities (www.sleuthkit.org) work on system
    partitions (almost) as well as on image files. They'll give you more
    information than the usual volatile sources without having to wait for an
    image to complete. You can check every binary and copy off those that are
    suspicious, and use prebuilt hash sets/config files to make sure that
    you're
    only sending off the types of files that are relevant to the examination.
    
    It'll still spike your processor & disk utilization, but it should give
    enough information to decide between leaving the system up or taking it
    down
    for proper imaging.
    
    Jeff
    
    -----Original Message-----
    From: Sakaba [mailto:sakabaat_private]
    Sent: Monday, August 11, 2003 4:53 AM
    To: forensicsat_private
    Subject: Re: Using dd.exe to make forensic images of NTFS drives
    
    
    
    Hi everyone,
    
    Thanks for your responses.
    
    I've tested with bootable linux (FIRE, Knoppix STD) and using
    the dd command works fine.  Its just using dd.exe while live on
    windows.
    
    Some of you asked why I would want to do that.  The reason is
    taking down servers to do investigations is not something we
    want to do unless we have a lot of evidence that it is life or
    death to begin with.  You don't know this purely from examining
    the volatile data sources.  I want the capability to take live
    images of windows machines without having to reboot them and
    without having to use thier binaries.  The FIRE cd's forensic
    shell can be started simply by inserting the CD and pressing the
    button off autorun.  It uses its own binaries and other than the
    minor changes from inserting the CD doesn't make changes that I
    would care about.  I just wished it worked.
    
    Does anyone know of a tried and tested method of taking a live
    image off a running windows machine without taking it offline or
    rebooting to linux cd or anything else that would disrupt
    operations.
    
    Thanks,
    Sakaba
    ---------------------------------------------------------------------------
    -
    ----
    Get your free 15 Mb POP3 email @alexandria.cc
    Click here -> http://www.alexandria.cc/
    
    
    -----------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com
    
    This communication is intended solely for the use of the addressee and may
    contain information that is legally privileged, confidential or exempt from
    disclosure.  If you are not the intended recipient, please note that any
    dissemination, distribution, or copying of this communication is strictly
    prohibited.  Anyone who receives this message in error should notify the
    sender immediately and delete it from his or her computer.
    
    
    
    
    
    -----------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 07:07:53 PDT