Re: Free/Open Source Disk Imaging Tools

[George Bakos <gbakos () ists dartmouth edu>]

On Fri, 7 Feb 2003 00:10:05 -0500
"crazytrain.com" <subscribe () crazytrain com> wrote:

> George
>
> just some thoughts;
>
> 1) bandwidth

All forensic imaging should be pulled using a crossover cable or passive
layer 1 device (hub) with no other hosts on the wire. If you aren't
concerned with preserving evidentiary value and admissability, you needn't
be quite so diligent.

If using a switched, rather than shared, network, bandwidth shouldn't be
an issue. Even if so, by keeping your honeypot partitions to a reasonable
size, you'll keep any bandwidth clobber to a minimum. I pull 2GB over
switched fast ethernet using dd and nc in a little over 4 minutes.

Another technique we use here in the forensic testbed: target systems
(hpots) with 2 hot-swap SCSI drives and a RAID5 storage server with the
same drives & one empty bay. We just pop out the drive to be imaged, stick
it in the storage server & dd across the backplane. W00t! 
 
> 2) cleartext

See #1 and use cryptcat instead of nc if you need to use shared media.

> 3) dropped connection

dd is a block-orineted utility that reports on blocks (records)
succesfully read in and out. You can easily resume a partial session with
the 'skip' option, picking up where you left off.


> So you can see where you may suck down bandwidth, send via clear text
> susceptible to sniffing (cryptcat would alleviate that but increase
> overhead), and if your connection drops, ouch!  Do not pass go, do not
> collect $200, start over!
>
> I mostly do my imaging via 'dd' and write it to an external 1394 drive. 
> Super fast, no CPU cycles, no dropped network connections, no sniffing,
> and I'm happy :)

If you're happy, we're all happy. Cheers!

-- 
George Bakos
Institute for Security Technology Studies
Dartmouth College
gbakos () ists dartmouth edu
voice   603-646-0665
fax     603-646-0666
Key fingerprint = D646 8F91 F795 27EC FF8B  8C95 B102 9EB2 081E CB85