Re: Fw: Using dd.exe to make forensic images of NTFS drives

From: crazytrain (subscribeat_private)
Date: Tue Aug 12 2003 - 07:54:10 PDT

  • Next message: ge: "RE: Program to wipe data from disk free space"

    Sakaba
    
    you can save yourself some *serious* coin and look into the Acronis True
    Image;
    
    
    http://www.acronis.com/products/trueimage/
    
    
    (not to mention if this was your system you could just have ssh and the
    cygwin utilities installed and do the same)
    
    
    regards,
    
    farmerdude
    
    
    
    On Tue, 2003-08-12 at 03:40, Jon Bair wrote:
    > Sakaba,
    > 
    > What you have outlined is a good description of the EnCase Enterprise Edition. You can image live Windows machines without taking them offline or disturbing operations.  During imaging, the processor will operate around 40 percent utilization, allowing the enterprise functions to continuen and the machine can still serve data to the network.  If the EnCase serlvet is not installed already as a service, you can run the trusted binary as a process in memory from removable media. You can also search, hash files, browse the file structure, etc to triage the machine. You can also image machines accross your WAN. 
    > 
    > The Windows version has been available for a year. The Linux version is installed at beta test sites, and the Unix version is in alpha. You can also examine dd images you have taken of previous drives. 
    > 
    > Several Fortune 100 companies are already using this technology, and evidence collected in this manner has been admitted in a US District Court. This is also used by law enforcement agencies executing search warrants that forbid the officers from taking networks down or disrupting business operations. 
    > 
    > You can obtain more info at http://www.guidancesoftware.com. 
    > 
    > Best,
    > Jon
    > 
    > Jonathan Bair
    > Senior Director of Product Development
    > Guidance Software
    > 
    > --------------------------
    > Sent from my BlackBerry Wireless Handheld
    > 
    > 
    > -----Original Message-----
    > From: Sakaba <sakabaat_private>
    > To: forensicsat_private <forensicsat_private>
    > Sent: Mon Aug 11 01:53:14 2003
    > Subject: Re: Using dd.exe to make forensic images of NTFS drives
    > 
    > 
    > Hi everyone,
    > 
    > Thanks for your responses.
    > 
    > I've tested with bootable linux (FIRE, Knoppix STD) and using
    > the dd command works fine.  Its just using dd.exe while live on
    > windows.
    > 
    > Some of you asked why I would want to do that.  The reason is
    > taking down servers to do investigations is not something we
    > want to do unless we have a lot of evidence that it is life or
    > death to begin with.  You don't know this purely from examining
    > the volatile data sources.  I want the capability to take live
    > images of windows machines without having to reboot them and
    > without having to use thier binaries.  The FIRE cd's forensic
    > shell can be started simply by inserting the CD and pressing the
    > button off autorun.  It uses its own binaries and other than the
    > minor changes from inserting the CD doesn't make changes that I
    > would care about.  I just wished it worked.
    > 
    > Does anyone know of a tried and tested method of taking a live
    > image off a running windows machine without taking it offline or
    > rebooting to linux cd or anything else that would disrupt
    > operations.
    > 
    > Thanks,
    > Sakaba
    > --------------------------------------------------------------------------------
    > Get your free 15 Mb POP3 email @alexandria.cc
    > Click here -> http://www.alexandria.cc/
    > 
    > 
    > -----------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management 
    > and tracking system please see: http://aris.securityfocus.com
    >  
    > Note:  The information contained in this message may be privileged and confidential and thus protected from disclosure.  If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited.  If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.  Thank you.
    > 
    > 
    > -----------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management 
    > and tracking system please see: http://aris.securityfocus.com
    > 
    > 
    
    
    -----------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Aug 13 2003 - 06:10:00 PDT