('binary' encoding is not supported, stored as-is) In-Reply-To: <MDEOKNCKAOFOENLIJCMJMELGCCAA.Sakabaat_private> sakaba, I don't want to seem problematic but have you tried to mount the images on your forensic system with the mount command? A line like should work: [root@localhost root]#mount -t ntfs /windowsimage.img /mnt/windisk Where windowsimage.img is the file you have dd'ed across to the forensics machine and /mnt/windisk is a legit (unmounted) directory on your forensics system. If you can't then there might be your answer. Also make sure that if you are taking the whole disk (i.e. if=\\.\PhysicalDrive0) you "do the math" to make sure you skip the MBR (search the archives of this list to get more info- it is there...). As for not taking down a box and rebooting it the tools I use are either a floppy with dd.exe and nc.exe on it (takes about an hour per GB via cross- over cable connection) or you can use the FIRE CD and just use the windows binaries in the <CD_drive>:\statbin\Win32\ (UNIX tools) or <CD_drive>:\Win32 (info collection) directory. Hope this helps. Shrink-wrap ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 13 2003 - 06:18:55 PDT