Partition copy to a remote box / forensics

der.hans plug-discuss@lists.plug.phoenix.az.us
Fri, 20 Dec 2002 12:01:18 -0700 (MST)


Am 20. Dec, 2002 schw=E4tzte foodog so:

> I have a question I hope someone can help with.
>
> Suppose:
> A Bad Person hacks an NT4/W2K/XP/.NyET box (I know - pretty fanciful).
> A Good Person shuts it off and drops the box amongst all the other crap
> in my office.
>
> I'd like to boot it from CD using Knoppix (for ex.) and use dd to snag
> an image copy of the NTFS or FAT32 partitions, copying them off to a
> Linux box.  Then, presumably, I can use goodies like the Coroner's
> Toolkit or @Stake's enhanced version of same to poke around in the
> remains at my leisure (and send the Tainted Box off to be reimaged and
> start the cycle again).
>
> Can someone suggest a command to store the image elsewhere using scp or
> even ftp?

dd if=3D/dev/hda1 | ssh remote_host dd of=3D/var/tmp/hda1_from_cracked_box.=
img

Do a sanity check on that. It should be a bit for bit copy of the drive,
though. No FS changes, etc.

Make sure you have room for the image and the remote location is also
secure.

> Slight digression:  If I dutifully document/timestamp each step of the
> process and do an md5sum of the image immediately after creation, is
> that likely to be "usable evidence" later on if the need arises?

That I don't know. Check w/ legal council at your workplace. I'd think gpg
sig would be better, but I've seen someone give a non-definitive answer tha=
t
gpg/pgp has not yet been accepted by the courts, but md5 has. Do both.
Cross-sign both with each other.

ciao,

der.hans
--=20
#  https://www.LuftHans.com/    http://www.TOLISGroup.com/
#  ... make it clear I support "Free Software" and not "Open Source",
#  and don't imply I agree that there is such a thing as a
#  "Linux operating system". - rms