On Tuesday 06 September 2005 10:19 am, Matthew Ross Walker wrote:
> I just discovered a compromized server on my network at work, and I want
> to get the disk imaged so that I have a forensic copy around for further
> investigation, without having to keep the server isolated.
>
> I'm pretty sure 'dd' is the utility I need to use, but I'm having
> trouble finding the exact syntax for making a mirror of an existing
> drive. Any help?
dd if=$a of=$b bs=$c count=$d
$a = drive to image, eg /dev/hdb (or partition /dev/hdb1)
$b = target drive or file, eg /dev/hdc or /path/to/image/file
$c = 512 (block size)
$d = number of blocks, or leave off the count parameter entirely and
dd will read until EOF
fdisk -l can tell you how many blocks there are
--
Respectfully,
Nicholas Leippe
Sales Team Automation, LLC
1335 West 1650 North, Suite C
Springville, UT 84663 +1 801.853.4090
http://www.salesteamautomation.com
.-----------------------------------.
| This has been a P.L.U.G. mailing. |
| Don't Fear the Penguin. |
| IRC: #utah at irc.freenode.net |
`-----------------------------------'
