tensai at zmonkey.org
Tue Sep 6 10:30:29 MDT 2005
On Tue, 2005-09-06 at 10:19 -0600, Matthew Ross Walker wrote:
> I just discovered a compromized server on my network at work, and I want
> to get the disk imaged so that I have a forensic copy around for further
> investigation, without having to keep the server isolated.
> I'm pretty sure 'dd' is the utility I need to use, but I'm having
> trouble finding the exact syntax for making a mirror of an existing
> drive. Any help?
On the machine that will hold the images (host1):
host1$ nc -l -p 10000 |gzip >hda1.gz
And on the compromised machine running Knoppix (host2):
host2# dd if=/dev/hda1 | nc host1 10000
I've seen some times where dd doesn't seem to break the pipe to netcat
and it'll just sit there forever not writing data. I always keep track
in another terminal and ^C it when the file stops growing.
In this example I've used gzip because those drive images can usually be
compressed pretty well. You'll have to gunzip them before you can mount
them. And when you do that, make sure you make the file read-only and
mount it read-only as well.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://plug.org/pipermail/plug/attachments/20050906/9d4ee803/attachment.bin
More information about the PLUG