Partition copy to a remote box / forensics

David A. Sinck plug-discuss@lists.plug.phoenix.az.us
Fri, 20 Dec 2002 08:12:33 -0700


\_ SMTP quoth foodog on 12/20/2002 01:48 as having spake thusly:
\_
\_ I have a question I hope someone can help with.  
\_ 
\_ Suppose:
\_ A Bad Person hacks an NT4/W2K/XP/.NyET box (I know - pretty fanciful). 
\_ A Good Person shuts it off and drops the box amongst all the other crap
\_ in my office.
\_ 
\_ I'd like to boot it from CD using Knoppix (for ex.) and use dd to snag
\_ an image copy of the NTFS or FAT32 partitions, copying them off to a
\_ Linux box.  Then, presumably, I can use goodies like the Coroner's
\_ Toolkit or @Stake's enhanced version of same to poke around in the
\_ remains at my leisure (and send the Tainted Box off to be reimaged and
\_ start the cycle again).

IIRC, knoppix comes with a ntfs.o kernel module.

\_ Can someone suggest a command to store the image elsewhere using scp or
\_ even ftp?

scp -C /dev/hda1 mylocalhost:omg_its_huge_hda1

YMMV.

\_ Slight digression:  If I dutifully document/timestamp each step of the
\_ process and do an md5sum of the image immediately after creation, is
\_ that likely to be "usable evidence" later on if the need arises?

The 'drops it in my office' part probably says no.  It's my
understanding that a compromised box has to be 'secured' at all times.
Because the cleaning crew could come in, power it up, alter the
contents of the disk, unplug it, and put it exactly back where you
left it and you'd be none the wiser, yet the disk would be ... ahem
... cleaned.

David