[clug] Simple computer forensics?

Sat Oct 15 07:40:43 GMT 2005

> Know a good dd command to clone a disk?
> (Don't know if it's FAT or NTFS)

just finished a W2k rebuild using the following command
ntfsclone /dev/hda1 /dev/hdb1

source and destination were identical hardware so no extra options required
ntfsclone is default tool on knoppix 4.02. (also found it faster than doing
similar with dd)
if image file is required clone can do that for you as well.
obviously its NTFS specific.

for the cleaning i would also advise you to look at the free tools from
sysinternals and wininternals
esp 'procexp' and 'autoruns'
fairly mild learning curve if you aren't completely new to mal-hunting
in fact sysinternals tools come pretty close to linux quality ;-)

On 10/14/05, Rodney Peters <rpeters at pcug.org.au> wrote:
>
> I have cloned a working Win98 on FAT using the command suggested by Leigh.
> Purpose was a backup, prior to conversion to FAT32. The target disk was a
> few kB smaller, so I de-fragged the partition first, then dd only the
> number
> of sectors available on the target by including the count= parameter.
>
> If you just want a backup, then partimage will give you a compressed image
> of
> most partition types, including NTFS, HPFS, FAT as well as the common
> Linux
> types. Advantage of this tool is that it produces a .gz file, which might
> be
> restorable by other means. I've successfully restored an NTFS partition to
> a
> PC and it worked OK.
>
> Rod
>
> On Thursday 13 October 2005 22:00, linux-request at lists.samba.org wrote:
> > Re: [clug] Simple computer forensics?
> > From:
> > Red Phoenix <intersect at gmail.com>
> > To:
> > Michael James <Michael.James at csiro.au>
> > CC:
> > linux at lists.samba.org
> > Date:
> > Yesterday 15:44:58
> >
> > G'day Michael,
> >
> > On Thu, 2005-10-13 at 15:17 +1000, Michael James wrote:
> >
> > Know a good dd command to clone a disk?
> > (Don't know if it's FAT or NTFS)
> >
> >
> > The good news is that the format won't matter.
> > As long as the source & target disks are IDENTICAL in all respects, or
> the
> > target disk is larger than the source, the following command should
> provide
> > you with what you're after.
> >
> > Assuming that the 'source' drive is /dev/hda, and the 'target' drive is
> > '/dev/hdb', you can just:
> >
> > # dd if=/dev/hda of=/dev/hdb
> > .. to clone a disk.
> >
> > (note: make sure you don't use /dev/hda[number] (eg: /dev/hda1) - as
> this
> > won't grab the master boot record, whereas the command above, will).
> >
> > The method above is pretty slow usually, so we generally need to delve
> into
> > the dd options a little to speed it up.
> >
> > The optimal block size is a little tough to determine, but for most
> modern
> > IDE drives, 8k should be about right. Using an 8k block size, should
> speed
> > up the process a bit for you. So:
> >
> > # dd if=/dev/hda of=/dev/hdb bs=8k
> >
> > .. make sure you verify that hda is definitely the source, and hdb is
> > definitely the target. :)
> >
> > Can a suspect windows PC
> > be comprehensively checked for malware,
> > or is re-building the only sure path?
> >
> >
> > Yes and no. It can only really be comprehensively evaluated, when you
> have
> > a 'known clean snapshot' image to compare against. Otherwise, you'll
> have
> > some risk that you'll have a few hangers on. The combination of
> ad-aware,
> > spybot search & destroy, and an up-to-date virus checker, may reduce the
> > likelihood of problems to an acceptable level for you though.
> >
> > Good luck with the cleanout.
> >
> > Regards,
> >
> > Leigh.
> >
> > TIA,
> > michaelj
> >
> > --
> > Michael James michael.james at csiro.au
> > System Administrator voice: 02 6246 5040
> > CSIRO Bioinformatics Facility fax: 02 6246 5166
> >
> > No matter how much you pay for software,
> > you always get less than you hoped.
> > Unless you pay nothing, then you get more.
> >
> > --
> > Leigh Purdie, Director - InterSect Alliance Pty Ltd
> > http://www.intersectalliance.com/
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux
>
>

--
by ipxodi (156633) on Tuesday August 23, @07:47AM (#13378220) (
http://slashdot.org/)
Duct tape is one of the sacred triumvirate of the Most Important Tools in
the World. Use the Tool Triumvirate thusly:
1) If it moves and it shouldn't -- use Duct Tape.
2) If it doesn't move and it should -- use WD-40.
3) If it should sometimes move -- use Velcro.