Re: Using dd.exe to make forensic images of NTFS drives

[Jeremiah Cornelius <[EMAIL PROTECTED]>]

On Tuesday 12 August 2003 12:06 pm, [EMAIL PROTECTED] wrote:
> In-Reply-To: <[EMAIL PROTECTED]>
<SNIP>
> a line like should work:
> [EMAIL PROTECTED] root]#mount -t ntfs /windowsimage.img /mnt/windisk
> Where windowsimage.img is the file you have dd'ed across to the forensics
> machine and /mnt/windisk is a legit (unmounted) directory on your
> forensics system.  If you can't then there might be your answer.  

Ummmm...  
You need to specify a disk image to use the loopback device in Linux, which 
means loopback support must be available in the kernel, or as a module - most 
distribution kernels have this already.  A good simple check for this is to 
see if you have the file /dev/loop0 present.

Your mount command for this is:

mount -t ntfs -o loop /windowsimage.img /mnt/windisk
                    ^^^^^^^
F.I.R.E. is good - check out Knoppix! It is a very rich environment for most 
any task, and loads to a RAMdisk from read-only media.  Knoppix is a 
self-hosting terminal server and offers remote network boot, etc.

http://www.knopper.net/knoppix/index-en.html

There is also a Security/Forensics specialty variant which has been recently 
established by another author:

http://www.knoppix-std.org

-- 
Jeremiah Cornelius, CISSP, CCNA, MCSE
Information Security Technology
email: [EMAIL PROTECTED] - mobile: 415.235.7689

"What would be the use of immortality to a person who cannot use well a half 
hour?"
--Ralph Waldo Emerson


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com