Matthew Ross Walker wrote: >I just discovered a compromized server on my network at work, and I want >to get the disk imaged so that I have a forensic copy around for further >investigation, without having to keep the server isolated. > >I'm pretty sure 'dd' is the utility I need to use, but I'm having >trouble finding the exact syntax for making a mirror of an existing >drive. Any help? > > after plugging in hd to new compuer (or plug new hd into existing computer): # dd if=/<device/partition> of=/path/to/some/file ie: #dd if=/dev/hda1 of=/home/me/olddrive.dat You can mount the .dat file if you have loopback support in your kernel too: # mount -o loop -t <fstype> olddrive.dat somedir
-Dennis >Thanks. > > >------------------------------------------------------------------------ > >..-----------------------------------. >| This has been a P.L.U.G. mailing. | >| Don't Fear the Penguin. | >| IRC: #utah at irc.freenode.net | >`-----------------------------------' > .-----------------------------------. | This has been a P.L.U.G. mailing. | | Don't Fear the Penguin. | | IRC: #utah at irc.freenode.net | `-----------------------------------'
