Re: Using dd.exe to make forensic images of NTFS drives

[Bill Schoolcraft <[EMAIL PROTECTED]>]

At Sun, 10 Aug 2003 it looks like Jim Zajkowski composed:

> On Saturday, August 9, 2003, at 1:04 PM, Sakaba wrote:
> 
> > I have tried time and time again to make images of my NTFS drives via 
> > the
> > dd command in windows.
> 
> Why do that?  I use a FreeBSD "fixit" cd, which has a live FreeBSD 
> system on the disc.  Once there, I use dd and pipe it into ssh and send 
> it over an ssh pipe to my analysis machine.  Works like a charm.
> 
> I do this:
> 
>    # ifconfig xl0 inet some.ip.add.ress netmask net.mask.goes.here
>    # route add -net 0 the.gateway.add.ress
>    # cd /dev; /dist/dev/MAKEDEV std

Hi Jim, I didn't get the reason for the "MAKEDEV std" on the
above line.

Thanks.

>    # dd if=/dev/ad0s1 | dd obs=5m | dd obs=5m | gzip -6 | ssh my.machine 
> "gzcat > image.dd"
> 
> The three dd's on that line set up a buffer stream that allows the 
> reading dd to not have to stop for network traffic so often.  Otherwise 
> you get a lot of read... pause... read... pause... and that makes it 
> take 2 or 3 times longer.  I'm also gzipping since it's not a local 
> wire to my analysis machine.
> 

Great email to archive for reference. :)

-- 
|<----------------------"Word-Wrap-At-72-Please"---------------------->|
Bill Schoolcraft            
PO Box 210076                 -o)
San Francisco CA 94121         /\
"UNIX, A Way Of Life."        _\_v



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com