Security Basics mailing list archives
RE: dd for windows and imaging a 40Gb drive
From: Murad Talukdar <talukdar_m () subway com>
Date: Fri, 08 Dec 2006 09:14:14 +1000
Great stuff Paul-thanks for the link to the garner page. I had found the dd for windows and was trying to work out whether I could somehow load that into a livecd for similar purposes(even just for backing up). One thing which I'm trying to work out is with regards to a pst file which, let's say for argument's sake, lives here C:\documents and settings\username\local settings\application data\microsoft\outlook\outlook.pst With the whole windows directory notation being expressed as unix-style notation issue(thanks for the clarification) would that mean that if just a file or folder needed to be copied, would it correspond to something similar to : /dev/hda1/documents and settings/username/local settings/application data/microsoft/outlook/outlook.pst I'm going to try it on a test machine and see if this is the case or not. One other question too-does the empty target disk need to be formatted as an ntfs disk before the copy? Or would something that had been an ext2 disk be fine? -----Original Message----- From: Paul daSilva [mailto:pdasilva () polr org] Sent: Friday, December 08, 2006 1:23 AM To: Murad Talukdar; security-basics () securityfocus com Subject: Re: dd for windows and imaging a 40Gb drive Murad, The option is up to you and your needs. Booting the Windows machine from a Linux LiveCD will give you the ability to snapshot the entire partition or hard drive as a point in time reference, with no 'intereference' - meaning no changes to the filesystem as you capture its image. You could try to copy the files you need while booted into Windows, copying the desired .pst file over the network. I'm not sure if this will work when the file is in use (opened under Outlook or whatever by that user), but you can give it a try. Also, there is a dd for Windows which may have slightly different capabilities than the original dd, like dumping data from a live file system? I'm not sure, but you can check it out -- they do use slightly different conventions with respect to drives and partitions. Here are some links: http://www.chrysocome.net/dd http://users.erols.com/gmgarner/forensics/ Lastly, yes, if you book from a Linux Live CD, your disks and partitions will assume that naming convention: /dev/hda primary hard drive /dev/hdb secondary drive on the primary IDE /dev/hdc first drive on secondary IDE /dev/hdd secondary drive on secondary IDE /dev/hda1 first partition on primary drive and so on.... Cheers, Paul Murad Talukdar wrote:
Thanks Paul, Now the source machine in question is a winxp box so I take it that
running
dd and piping to nc would mean booting to a live cd(on source machine) in order to prevent any 'interference' with the data? Now I'm assuming that when running a live cd (knoppix std or FIRE eg) will mean that the main partition should show up as /dev/had or similar even though it is a windows box. Is that right? What I really need is a copy of this user's pst files for legal to check
for
'incriminating' (ie non-criminal) emails but I did suggest to them that taking an image of the drive first, for possible later use may be
advisable.
Now I'm not a forensic expert and I did say that normally this should be done by such but they have said that it really is just a preliminary investigation. <shrug> -----Original Message----- From: Paul daSilva [mailto:pdasilva () polr org] Sent: Thursday, December 07, 2006 8:47 AM To: Murad Talukdar Cc: security-basics () securityfocus com Subject: Re: dd for windows and imaging a 40Gb drive Murad, I can't answer how long the process will take, as far too many factors are involved. However, to use dd over the network, you could consider piping its output to netcat. On the Target system, where image will be dumped to, run: nc -l -p 9000 | dd of=/path/image-file.dd (or of=/dev/hda) On the Source system to be imaged, run: dd if=/dev/hda | nc 192.168.1.120 9000 Be sure to edit the Target system output file of=, as it can be a file or you can dd to another disk or partition (clone). Be sure to edit the Source system input file if= (right drive device and partition number), and use the right IP address and port number for the Target system). Googling "dd and netcat" will give you lots more information on this topic. Cheers, Paul Murad Talukdar wrote:Hi all, I need to estimate how long it would take to image a 40gb drive with a single partition on it using dd. (I guess this is more dependant on write speeds and throughput than anything else) Also, what would be the syntax of the output file be if I were to image across the network? Or can dd be used by using a crossover cable andmappingdrives first? But, if I were to map a drive to the machine in question, does that 'interfere' with the drive in any way? I'm planning to use dd for windows-which I can get to work fine for files/folders on my local machine but am struggling over the networkbecauseI'm not sure of the syntax. No man dd on windows.
---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------
--------------------------------------------------------------------------- This list is sponsored by: ByteCrusher Detect Malicious Web Content and Exploits in Real-Time. Anti-Virus engines can't detect unknown or new threats. LinkScanner can. Web surfing just became a whole lot safer. http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect ---------------------------------------------------------------------------
Current thread:
- dd for windows and imaging a 40Gb drive Murad Talukdar (Dec 06)
- Re: dd for windows and imaging a 40Gb drive Peter Oven (Dec 07)
- Re: dd for windows and imaging a 40Gb drive Paul daSilva (Dec 07)
- RE: dd for windows and imaging a 40Gb drive Murad Talukdar (Dec 07)
- Re: dd for windows and imaging a 40Gb drive Paul daSilva (Dec 07)
- RE: dd for windows and imaging a 40Gb drive Murad Talukdar (Dec 08)
- Re: dd for windows and imaging a 40Gb drive Paul daSilva (Dec 08)
- RE: dd for windows and imaging a 40Gb drive Murda Mcloud (Dec 12)
- RE: dd for windows and imaging a 40Gb drive Murad Talukdar (Dec 07)
- <Possible follow-ups>
- Re: dd for windows and imaging a 40Gb drive Geert VAN ACKER (Dec 07)