RE: dd for windows and imaging a 40Gb drive

[Murad Talukdar <talukdar_m () subway com>]

Thanks Paul,
Now the source machine in question is a winxp box so I take it that running
dd and piping to nc would mean booting to a live cd(on source machine) in
order to prevent any 'interference' with the data?
Now I'm assuming that when running a live cd (knoppix std or FIRE eg) will
mean that the main partition should show up as /dev/had or similar even
though it is a windows box. Is that right?
What I really need is a copy of this user's pst files for legal to check for
'incriminating' (ie non-criminal) emails but I did suggest to them that
taking an image of the drive first, for possible later use may be advisable.
Now I'm not a forensic expert and I did say that normally this should be
done by such but they have said that it really is just a preliminary
investigation. <shrug>
-----Original Message-----
From: Paul daSilva [mailto:pdasilva () polr org] 
Sent: Thursday, December 07, 2006 8:47 AM
To: Murad Talukdar
Cc: security-basics () securityfocus com
Subject: Re: dd for windows and imaging a 40Gb drive

Murad,

I can't answer how long the process will take, as far too many factors 
are involved.
However, to use dd over the network, you could consider piping its 
output to netcat.

On the Target system, where image will be dumped to, run:
nc -l -p 9000 | dd of=/path/image-file.dd (or of=/dev/hda)

On the Source system to be imaged, run:
dd if=/dev/hda | nc 192.168.1.120 9000

Be sure to edit the Target system output file of=, as it can be a file 
or you can dd to another disk or partition (clone).

Be sure to edit the Source system input file if= (right drive device and 
partition number), and use the right IP address and port number for the 
Target system). Googling "dd and netcat" will give you lots more 
information on this topic.

Cheers,
Paul



Murad Talukdar wrote:
> Hi all,
> I need to estimate how long it would take to image a 40gb drive with a
> single partition on it using dd. (I guess this is more dependant on write
> speeds and throughput than anything else)
> Also, what would be the syntax of the output file be if I were to image
> across the network? Or can dd be used by using a crossover cable and
mapping
> drives first?
> But, if I were to map a drive to the machine in question, does that
> 'interfere' with the drive in any way? 
> I'm planning to use dd for windows-which I can get to work fine for
> files/folders on my local machine but am struggling over the network
because
> I'm not sure of the syntax. 
> No man dd on windows.
>  
---------------------------------------------------------------------------
> This list is sponsored by: ByteCrusher
>
> Detect Malicious Web Content and Exploits in Real-Time.
> Anti-Virus engines can't detect unknown or new threats.
> LinkScanner can. Web surfing just became a whole lot safer.
>
> http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------
>   





---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------