Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Copying HDDs for forensic purposes?

From: Byron Sonne <blsonne () rogers com>
Date: Mon, 17 Nov 2003 16:21:50 -0500
Best practice I've used is to boot off a knoppix CD with a second hard drive
in the machine, mounted as /mnt.  Then from a command prompt `dd
if=/dev/hda1 of=/mnt/drive.img` Do this for each partition you want to image

After you have the copy, you can remove the original drive, and mount the
img file by using loopback, `mount /mnt/drive.img /mnt2 -o loop ro` I
believe is the syntax for a read-only loopback. Substitute paths as needed.
Nice thing is that works across multiple operating systems as well... rather handy just to be able to run 'strings' against windows disks. 


--

        For good, return good. For evil, return justice.


---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: