Security Basics mailing list archives

Re: dd for windows and imaging a 40Gb drive

From: Paul daSilva <pdasilva () polr org>
Date: Thu, 07 Dec 2006 10:22:51 -0500

Murad,

The option is up to you and your needs. Booting the Windows machinefrom a Linux LiveCD will give you the ability to snapshot the entirepartition or hard drive as a point in time reference, with no'intereference' - meaning no changes to the filesystem as you captureits image.

You could try to copy the files you need while booted into Windows,copying the desired .pst file over the network. I'm not sure if thiswill work when the file is in use (opened under Outlook or whatever bythat user), but you can give it a try. Also, there is a dd for Windowswhich may have slightly different capabilities than the original dd,like dumping data from a live file system? I'm not sure, but you cancheck it out -- they do use slightly different conventions with respectto drives and partitions. Here are some links:


http://www.chrysocome.net/dd
http://users.erols.com/gmgarner/forensics/

Lastly, yes, if you book from a Linux Live CD, your disks and partitionswill assume that naming convention:


/dev/hda    primary hard drive
/dev/hdb   secondary drive on the primary IDE
/dev/hdc    first drive on secondary IDE
/dev/hdd   secondary drive on secondary IDE

/dev/hda1   first partition on primary drive
and so on....

Cheers,
Paul


Murad Talukdar wrote:

Thanks Paul,
Now the source machine in question is a winxp box so I take it that running
dd and piping to nc would mean booting to a live cd(on source machine) in
order to prevent any 'interference' with the data?
Now I'm assuming that when running a live cd (knoppix std or FIRE eg) will
mean that the main partition should show up as /dev/had or similar even
though it is a windows box. Is that right?
What I really need is a copy of this user's pst files for legal to check for
'incriminating' (ie non-criminal) emails but I did suggest to them that
taking an image of the drive first, for possible later use may be advisable.
Now I'm not a forensic expert and I did say that normally this should be
done by such but they have said that it really is just a preliminary
investigation. <shrug>
-----Original Message-----

From: Paul daSilva [mailto:pdasilva () polr org]Sent: Thursday, December 07, 2006 8:47 AM

To: Murad Talukdar
Cc: security-basics () securityfocus com
Subject: Re: dd for windows and imaging a 40Gb drive

Murad,

I can't answer how long the process will take, as far too many factorsare involved.However, to use dd over the network, you could consider piping itsoutput to netcat.


On the Target system, where image will be dumped to, run:
nc -l -p 9000 | dd of=/path/image-file.dd (or of=/dev/hda)

On the Source system to be imaged, run:
dd if=/dev/hda | nc 192.168.1.120 9000

Be sure to edit the Target system output file of=, as it can be a fileor you can dd to another disk or partition (clone).

Be sure to edit the Source system input file if= (right drive device andpartition number), and use the right IP address and port number for theTarget system). Googling "dd and netcat" will give you lots moreinformation on this topic.


Cheers,
Paul



Murad Talukdar wrote:

Hi all,
I need to estimate how long it would take to image a 40gb drive with a
single partition on it using dd. (I guess this is more dependant on write
speeds and throughput than anything else)
Also, what would be the syntax of the output file be if I were to image
across the network? Or can dd be used by using a crossover cable and

mapping

drives first?
But, if I were to map a drive to the machine in question, does that
'interfere' with the drive in any way?I'm planning to use dd for windows-which I can get to work fine for
files/folders on my local machine but am struggling over the network

because

I'm not sure of the syntax.No man dd on windows.

---------------------------------------------------------------------------

This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect

---------------------------------------------------------------------------



---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------

Current thread:

dd for windows and imaging a 40Gb drive Murad Talukdar (Dec 06)
- Re: dd for windows and imaging a 40Gb drive Peter Oven (Dec 07)
- Re: dd for windows and imaging a 40Gb drive Paul daSilva (Dec 07)
  - RE: dd for windows and imaging a 40Gb drive Murad Talukdar (Dec 07)
    - Re: dd for windows and imaging a 40Gb drive Paul daSilva (Dec 07)
    - RE: dd for windows and imaging a 40Gb drive Murad Talukdar (Dec 08)
    - Re: dd for windows and imaging a 40Gb drive Paul daSilva (Dec 08)
    - RE: dd for windows and imaging a 40Gb drive Murda Mcloud (Dec 12)
- <Possible follow-ups>
- Re: dd for windows and imaging a 40Gb drive Geert VAN ACKER (Dec 07)