Partition copy to a remote box / forensics
foodog
plug-discuss@lists.plug.phoenix.az.us
Fri, 20 Dec 2002 01:48:02 -0700
I have a question I hope someone can help with.
Suppose:
A Bad Person hacks an NT4/W2K/XP/.NyET box (I know - pretty fanciful).
A Good Person shuts it off and drops the box amongst all the other crap
in my office.
I'd like to boot it from CD using Knoppix (for ex.) and use dd to snag
an image copy of the NTFS or FAT32 partitions, copying them off to a
Linux box. Then, presumably, I can use goodies like the Coroner's
Toolkit or @Stake's enhanced version of same to poke around in the
remains at my leisure (and send the Tainted Box off to be reimaged and
start the cycle again).
Can someone suggest a command to store the image elsewhere using scp or
even ftp?
Slight digression: If I dutifully document/timestamp each step of the
process and do an md5sum of the image immediately after creation, is
that likely to be "usable evidence" later on if the need arises?
Thanks much! :-)
Steve
4 shoppin' days left...