Disk Imaging?

Tue Sep 6 10:27:10 MDT 2005

Matthew Ross Walker wrote:

>I just discovered a compromized server on my network at work, and I want
>to get the disk imaged so that I have a forensic copy around for further
>investigation, without having to keep the server isolated.
>I'm pretty sure 'dd' is the utility I need to use, but I'm having
>trouble finding the exact syntax for making a mirror of an existing
>drive. Any help?
after plugging in hd to new compuer (or plug new hd into existing computer):
# dd if=/<device/partition> of=/path/to/some/file
ie: #dd if=/dev/hda1 of=/home/me/olddrive.dat
You can mount the .dat file if you have loopback support in your kernel too:
# mount -o loop -t <fstype> olddrive.dat somedir


