Corey Edwards wrote: >On Tue, 2005-09-06 at 10:19 -0600, Matthew Ross Walker wrote: > > >>I just discovered a compromized server on my network at work, and I want >>to get the disk imaged so that I have a forensic copy around for further >>investigation, without having to keep the server isolated. >> >>I'm pretty sure 'dd' is the utility I need to use, but I'm having >>trouble finding the exact syntax for making a mirror of an existing >>drive. Any help? >> >> > >On the machine that will hold the images (host1): > > host1$ nc -l -p 10000 |gzip >hda1.gz > >And on the compromised machine running Knoppix (host2): > > host2# dd if=/dev/hda1 | nc host1 10000 > >I've seen some times where dd doesn't seem to break the pipe to netcat >and it'll just sit there forever not writing data. I always keep track >in another terminal and ^C it when the file stops growing. > > I do this automatically with the -w param on nc. ie: nc -l -p 10000 -w 5 | etc...
>In this example I've used gzip because those drive images can usually be >compressed pretty well. You'll have to gunzip them before you can mount >them. And when you do that, make sure you make the file read-only and >mount it read-only as well. > >Corey > > > >------------------------------------------------------------------------ > >..-----------------------------------. >| This has been a P.L.U.G. mailing. | >| Don't Fear the Penguin. | >| IRC: #utah at irc.freenode.net | >`-----------------------------------' > .-----------------------------------. | This has been a P.L.U.G. mailing. | | Don't Fear the Penguin. | | IRC: #utah at irc.freenode.net | `-----------------------------------'
