Re: Using dd.exe to make forensic images of NTFS drives

[Jim Zajkowski <[EMAIL PROTECTED]>]

On Saturday, August 9, 2003, at 1:04 PM, Sakaba wrote:

> I have tried time and time again to make images of my NTFS drives via 
> the
> dd command in windows.

Why do that?  I use a FreeBSD "fixit" cd, which has a live FreeBSD 
system on the disc.  Once there, I use dd and pipe it into ssh and send 
it over an ssh pipe to my analysis machine.  Works like a charm.

I do this:

  # ifconfig xl0 inet some.ip.add.ress netmask net.mask.goes.here
  # route add -net 0 the.gateway.add.ress
  # cd /dev; /dist/dev/MAKEDEV std
  # dd if=/dev/ad0s1 | dd obs=5m | dd obs=5m | gzip -6 | ssh my.machine 
"gzcat > image.dd"

The three dd's on that line set up a buffer stream that allows the 
reading dd to not have to stop for network traffic so often.  Otherwise 
you get a lot of read... pause... read... pause... and that makes it 
take 2 or 3 times longer.  I'm also gzipping since it's not a local 
wire to my analysis machine.

--Jim

--
Jim Zajkowski                http://www.jimz.net/pgp-pubkey.asc
System Administrator  8A9E 1DDF 944D 83C3 AEAB  8F74 8697 A823 2113 5C53
ITCS Contract Services


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com