Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: Using dd.exe to make forensic images of NTFS drives
.

  • To: [EMAIL PROTECTED]
  • Subject: Re: Using dd.exe to make forensic images of NTFS drives
  • From: <[EMAIL PROTECTED]>
  • Date: 12 Aug 2003 19:06:31 -0000
.
 
In-Reply-To: <[EMAIL PROTECTED]>

sakaba,

I don't want to seem problematic but have you tried to mount the images on 
your forensic system with the mount command?  A line like should work:
[EMAIL PROTECTED] root]#mount -t ntfs /windowsimage.img /mnt/windisk
Where windowsimage.img is the file you have dd'ed across to the forensics 
machine and /mnt/windisk is a legit (unmounted) directory on your 
forensics system.  If you can't then there might be your answer.  Also 
make sure that if you are taking the whole disk (i.e. 
if=\\.\PhysicalDrive0) you "do the math" to make sure you skip the MBR 
(search the archives of this list to get more info- it is there...).

As for not taking down a box and rebooting it the tools I use are either a 
floppy with dd.exe and nc.exe on it (takes about an hour per GB via cross-
over cable connection) or you can use the FIRE CD and just use the windows 
binaries in the <CD_drive>:\statbin\Win32\ (UNIX tools) or 
<CD_drive>:\Win32 (info collection) directory.

Hope this helps.

Shrink-wrap

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.