Re: Using dd.exe to make forensic images of NTFS drives

From: Jeremiah Cornelius <jeremiah(at)nur.net>
Date: Wed Aug 13 2003 - 11:38:09 EDT

On Tuesday 12 August 2003 12:06 pm, shrink-wrap@hushmail.com wrote:
> In-Reply-To: <MDEOKNCKAOFOENLIJCMJMELGCCAA.Sakaba@alexandria.cc>
<SNIP>
> a line like should work:

Ummmm...
You need to specify a disk image to use the loopback device in Linux, which means loopback support must be available in the kernel, or as a module - most distribution kernels have this already. A good simple check for this is to see if you have the file /dev/loop0 present.

Your mount command for this is:

mount -t ntfs -o loop /windowsimage.img /mnt/windisk
                    ^^^^^^^

F.I.R.E. is good - check out Knoppix! It is a very rich environment for most any task, and loads to a RAMdisk from read-only media. Knoppix is a self-hosting terminal server and offers remote network boot, etc.

http://www.knopper.net/knoppix/index-en.html

There is also a Security/Forensics specialty variant which has been recently established by another author:

http://www.knoppix-std.org

-- 
Jeremiah Cornelius, CISSP, CCNA, MCSE
Information Security Technology
email: jcorneli@hotmail.com - mobile: 415.235.7689

"What would be the use of immortality to a person who cannot use well a half 
hour?"
--Ralph Waldo Emerson


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com

Received on Wed Aug 13 22:07:32 2003