Re: Forensics DD RDA problems

[Jordan Wiens <jwiens () nersp nerdc ufl edu>]

On Fri, 27 Jun 2003, nina nina wrote:

> Trying to setup RDA on a win2k machine:
>
> 1.  Use Fire CD to download and *.dd images
>     a. boot.img is less than 1.44mg
>     b. root.img is more than 4mg
>
> 2.  DD both images but root.img.dd is of course still large

Hmm, yeah, that's a bit odd.  Don't know what's going on there offhand.

> 3.  How do I get the image on a bootable floppy?

Try downloading the whole package and looking at README.boot; that'll
explain how to make your own rda boot disks.

> 4.  Is it possible to setup rda on win2k

Hmm, I kinda doubt it offhand, though it's entirely possible that it could
be ported.

> What about nc or crypcat to connect to a remote machine?

Definitely a good option.  In fact, Joe Lofshult's practical sans writeup
on Biatchux (biatchux became fire) mentions it:
http://www.giac.org/practical/Joe_Lofshult_GSEC.doc

Basically on the machine to be analyzed:
 dd if=/dev/hda1  |  nc -nv 192.168.1.110 2020

and on the server:
 nc -l -p 2020 > hda1.dd

And then of course to verify on the client:
 md5sum /dev/hda1
and the server:
 md5sum hda1.dd

Not quite as automated as rda, but it's a relatively simple process.

-- 
Jordan Wiens
UF Network Incident Response Team
(352)392-2061