Disk Imaging?

Dennis devel at muhlesteins.com
Tue Sep 6 10:27:10 MDT 2005


Matthew Ross Walker wrote:

>I just discovered a compromized server on my network at work, and I want
>to get the disk imaged so that I have a forensic copy around for further
>investigation, without having to keep the server isolated.
>
>I'm pretty sure 'dd' is the utility I need to use, but I'm having
>trouble finding the exact syntax for making a mirror of an existing
>drive. Any help?
>  
>
after plugging in hd to new compuer (or plug new hd into existing computer):
# dd if=/<device/partition> of=/path/to/some/file
ie: #dd if=/dev/hda1 of=/home/me/olddrive.dat
You can mount the .dat file if you have loopback support in your kernel too:
# mount -o loop -t <fstype> olddrive.dat somedir

-Dennis

>Thanks.
>  
>
>------------------------------------------------------------------------
>
>..-----------------------------------.
>| This has been a P.L.U.G. mailing. |
>|      Don't Fear the Penguin.      |
>|  IRC: #utah at irc.freenode.net   |
>`-----------------------------------'
>




More information about the PLUG mailing list