Re: Using dd.exe to make forensic images of NTFS drives

From: <shrink-wrap(at)hushmail.com>
Date: Tue Aug 12 2003 - 15:06:31 EDT

('binary' encoding is not supported, stored as-is)
In-Reply-To: <MDEOKNCKAOFOENLIJCMJMELGCCAA.Sakaba@alexandria.cc>

sakaba,

I don't want to seem problematic but have you tried to mount the images on your forensic system with the mount command? A line like should work: [root@localhost root]#mount -t ntfs /windowsimage.img /mnt/windisk Where windowsimage.img is the file you have dd'ed across to the forensics machine and /mnt/windisk is a legit (unmounted) directory on your forensics system. If you can't then there might be your answer. Also make sure that if you are taking the whole disk (i.e. if=\\.\PhysicalDrive0) you "do the math" to make sure you skip the MBR (search the archives of this list to get more info- it is there...).

As for not taking down a box and rebooting it the tools I use are either a floppy with dd.exe and nc.exe on it (takes about an hour per GB via crossover  cable connection) or you can use the FIRE CD and just use the windows binaries in the <CD_drive>:\statbin\Win32\ (UNIX tools) or <CD_drive>:\Win32 (info collection) directory.

Hope this helps.

Shrink-wrap

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Wed Aug 13 09:23:06 2003