Disk Imaging?

Nicholas Leippe nick at byu.edu
Tue Sep 6 10:27:43 MDT 2005


On Tuesday 06 September 2005 10:19 am, Matthew Ross Walker wrote:
> I just discovered a compromized server on my network at work, and I want
> to get the disk imaged so that I have a forensic copy around for further
> investigation, without having to keep the server isolated.
>
> I'm pretty sure 'dd' is the utility I need to use, but I'm having
> trouble finding the exact syntax for making a mirror of an existing
> drive. Any help?


dd if=$a of=$b bs=$c count=$d

$a = drive to image, eg /dev/hdb (or partition /dev/hdb1)
$b = target drive or file, eg /dev/hdc or /path/to/image/file
$c = 512 (block size)
$d = number of blocks, or leave off the count parameter entirely and
     dd will read until EOF

fdisk -l can tell you how many blocks there are


-- 
Respectfully,

Nicholas Leippe
Sales Team Automation, LLC
1335 West 1650 North, Suite C
Springville, UT  84663 +1 801.853.4090
http://www.salesteamautomation.com



More information about the PLUG mailing list