Disk Imaging?

Dennis devel at muhlesteins.com
Tue Sep 6 13:44:27 MDT 2005


Corey Edwards wrote:

>On Tue, 2005-09-06 at 10:19 -0600, Matthew Ross Walker wrote:
>  
>
>>I just discovered a compromized server on my network at work, and I want
>>to get the disk imaged so that I have a forensic copy around for further
>>investigation, without having to keep the server isolated.
>>
>>I'm pretty sure 'dd' is the utility I need to use, but I'm having
>>trouble finding the exact syntax for making a mirror of an existing
>>drive. Any help?
>>    
>>
>
>On the machine that will hold the images (host1):
>
>        host1$ nc -l -p 10000 |gzip >hda1.gz
>
>And on the compromised machine running Knoppix (host2):
>
>        host2# dd if=/dev/hda1 | nc host1 10000
>        
>I've seen some times where dd doesn't seem to break the pipe to netcat
>and it'll just sit there forever not writing data. I always keep track
>in another terminal and ^C it when the file stops growing.
>  
>
I do this automatically with the -w param on nc.  ie: nc -l -p 10000 -w
5 | etc...

>In this example I've used gzip because those drive images can usually be
>compressed pretty well. You'll have to gunzip them before you can mount
>them. And when you do that, make sure you make the file read-only and
>mount it read-only as well.
>
>Corey
>
>  
>
>------------------------------------------------------------------------
>
>..-----------------------------------.
>| This has been a P.L.U.G. mailing. |
>|      Don't Fear the Penguin.      |
>|  IRC: #utah at irc.freenode.net   |
>`-----------------------------------'
>




More information about the PLUG mailing list