Raw disk copy?
-
I need to take a machine and do a raw disk image of it (unused sectors and all) for a forensic type investigation if necessary. The problem is, this machine has a locked case, and the key has been lost. It is bootable to a CD or the hard disk. I don't want to install something on the machine itself, in order to prevent tainting the disk. I need to find a way to do a raw disk image of this machine across the network to my server. I have googled and tried several things (Active@, Ultimate Boot CD for windows) but none have worked. Any suggestions out there? Thanks!
Have you tried using a linux Live CD like knoppix to boot the machine. I think the tool dd (disc to disc) has a sector by sector clone feature. It's quite short on "do you really want to do this" type messages though so double check all your source and destinations before setting it running.
-
I need to take a machine and do a raw disk image of it (unused sectors and all) for a forensic type investigation if necessary. The problem is, this machine has a locked case, and the key has been lost. It is bootable to a CD or the hard disk. I don't want to install something on the machine itself, in order to prevent tainting the disk. I need to find a way to do a raw disk image of this machine across the network to my server. I have googled and tried several things (Active@, Ultimate Boot CD for windows) but none have worked. Any suggestions out there? Thanks!
Have you tried Acronis True Image?
-
I need to take a machine and do a raw disk image of it (unused sectors and all) for a forensic type investigation if necessary. The problem is, this machine has a locked case, and the key has been lost. It is bootable to a CD or the hard disk. I don't want to install something on the machine itself, in order to prevent tainting the disk. I need to find a way to do a raw disk image of this machine across the network to my server. I have googled and tried several things (Active@, Ultimate Boot CD for windows) but none have worked. Any suggestions out there? Thanks!
I've used DriveImageXML for a long time... It works like charm... And you can use it from the BartPE CDROM... Good luck! :thumbsup:
[www.tamelectromecanica.com] Robots, CNC and PLC machines for grinding and polishing.
-
I need to take a machine and do a raw disk image of it (unused sectors and all) for a forensic type investigation if necessary. The problem is, this machine has a locked case, and the key has been lost. It is bootable to a CD or the hard disk. I don't want to install something on the machine itself, in order to prevent tainting the disk. I need to find a way to do a raw disk image of this machine across the network to my server. I have googled and tried several things (Active@, Ultimate Boot CD for windows) but none have worked. Any suggestions out there? Thanks!
Hi, Any "Live-CD" Linux distro will do. No third party programs required! Netcat[^] is called the network swiss army knife. On the locked machine:
dd if=/dev/hda bs=16065b conv=noerror | netcat < [Workstation IP] > [Workstation Port]
On your workstation:
netcat -l -p [Port] | dd of=/path/to/your/file/or/diskimage bs=16065b
Best Wishes, -David Delaune
-
I need to take a machine and do a raw disk image of it (unused sectors and all) for a forensic type investigation if necessary. The problem is, this machine has a locked case, and the key has been lost. It is bootable to a CD or the hard disk. I don't want to install something on the machine itself, in order to prevent tainting the disk. I need to find a way to do a raw disk image of this machine across the network to my server. I have googled and tried several things (Active@, Ultimate Boot CD for windows) but none have worked. Any suggestions out there? Thanks!
You do not mention cost, but in case this is an issue Open Source Forensic Tools[^].
Henry Minute Do not read medical books! You could die of a misprint. - Mark Twain Girl: (staring) "Why do you need an icy cucumber?" “I want to report a fraud. The government is lying to us all.”
-
Hi, Any "Live-CD" Linux distro will do. No third party programs required! Netcat[^] is called the network swiss army knife. On the locked machine:
dd if=/dev/hda bs=16065b conv=noerror | netcat < [Workstation IP] > [Workstation Port]
On your workstation:
netcat -l -p [Port] | dd of=/path/to/your/file/or/diskimage bs=16065b
Best Wishes, -David Delaune
-
I need to take a machine and do a raw disk image of it (unused sectors and all) for a forensic type investigation if necessary. The problem is, this machine has a locked case, and the key has been lost. It is bootable to a CD or the hard disk. I don't want to install something on the machine itself, in order to prevent tainting the disk. I need to find a way to do a raw disk image of this machine across the network to my server. I have googled and tried several things (Active@, Ultimate Boot CD for windows) but none have worked. Any suggestions out there? Thanks!
-
I need to take a machine and do a raw disk image of it (unused sectors and all) for a forensic type investigation if necessary. The problem is, this machine has a locked case, and the key has been lost. It is bootable to a CD or the hard disk. I don't want to install something on the machine itself, in order to prevent tainting the disk. I need to find a way to do a raw disk image of this machine across the network to my server. I have googled and tried several things (Active@, Ultimate Boot CD for windows) but none have worked. Any suggestions out there? Thanks!
I believe for Forensic purposes you have to physically copy the drive using a device that does not have write pin (at least with IDE, I don't know about SATA); lock the physical copy in a safe and examine the copy. Otherwise you lose data non-repudiation which is an important concept in forensic analysis.
Need custom software developed? I do custom programming based primarily on MS tools with an emphasis on C# development and consulting. I also do Android Programming as I find it a refreshing break from the MS. "And they, since they Were not the one dead, turned to their affairs" -- Robert Frost
-
DD is a great tool, it's a shame it gets over looked so often though:thumbsdown:
▬▬▬▬▬▬▬▬▬▬▬▬
Lloyd Atkinson wrote:
it's a shame it gets over looked so often
Probably because of
dd if=/dev/hda bs=16065b conv=noerror | netcat < [Workstation IP] > [Workstation Port] netcat -l -p [Port] | dd of=/path/to/your/file/or/diskimage bs=16065bAgh! Reality! My Archnemesis![^]
| FoldWithUs! | sighist | WhoIncludes - Analyzing C++ include file hierarchy -
I need to take a machine and do a raw disk image of it (unused sectors and all) for a forensic type investigation if necessary. The problem is, this machine has a locked case, and the key has been lost. It is bootable to a CD or the hard disk. I don't want to install something on the machine itself, in order to prevent tainting the disk. I need to find a way to do a raw disk image of this machine across the network to my server. I have googled and tried several things (Active@, Ultimate Boot CD for windows) but none have worked. Any suggestions out there? Thanks!
clonezilla live cd ;)
"mostly watching the human race is like watching dogs watch tv ... they see the pictures move but the meaning escapes them"
-
clonezilla live cd ;)
"mostly watching the human race is like watching dogs watch tv ... they see the pictures move but the meaning escapes them"
Second this. Works like a charm, and can save to almost anything, smb, ftp, etc. Very powerful, but not easy mode.
// Steve McLenithan
-
I need to take a machine and do a raw disk image of it (unused sectors and all) for a forensic type investigation if necessary. The problem is, this machine has a locked case, and the key has been lost. It is bootable to a CD or the hard disk. I don't want to install something on the machine itself, in order to prevent tainting the disk. I need to find a way to do a raw disk image of this machine across the network to my server. I have googled and tried several things (Active@, Ultimate Boot CD for windows) but none have worked. Any suggestions out there? Thanks!
I believe TrueImage will allow you to make a clone to a network or USB hard drive. TrueImage can create a bootable CD that you can be use on the locked system.
Steve _________________ I C(++) therefore I am
-
I need to take a machine and do a raw disk image of it (unused sectors and all) for a forensic type investigation if necessary. The problem is, this machine has a locked case, and the key has been lost. It is bootable to a CD or the hard disk. I don't want to install something on the machine itself, in order to prevent tainting the disk. I need to find a way to do a raw disk image of this machine across the network to my server. I have googled and tried several things (Active@, Ultimate Boot CD for windows) but none have worked. Any suggestions out there? Thanks!
Paragon Hard Disk Manager will boot from CD and allow you to make an exact image of a drive across a network - I've used it myself to do exactly that more than once. Not free though 8)
-
I need to take a machine and do a raw disk image of it (unused sectors and all) for a forensic type investigation if necessary. The problem is, this machine has a locked case, and the key has been lost. It is bootable to a CD or the hard disk. I don't want to install something on the machine itself, in order to prevent tainting the disk. I need to find a way to do a raw disk image of this machine across the network to my server. I have googled and tried several things (Active@, Ultimate Boot CD for windows) but none have worked. Any suggestions out there? Thanks!
Hello, Did you try HDClone from Miray Software? They provide raw disk copying from a bootable CD. http://www.miray.de/products/sat.hdclone.html[^] I use this to copy my system disk to anoder HD. If my system disk fails, I put the other disk in the PC and I have my system up and running again. Good luck, Freddy.
-
DD is a great tool, it's a shame it gets over looked so often though:thumbsdown:
▬▬▬▬▬▬▬▬▬▬▬▬
I second dd. You'll preserve everything in every sector, including license crap that is written into boot track sectors and sectors that are not part of partitions or filesystems. Make sure you use a block size of 1MB or something or you'll need a haircut before it finishes :) The problem with using dd may be finding a tool that can work with the copied image.
patbob
-
Drill the lock out?
Everything makes sense in someone's mind
A "hardware solution". I love it!
-
I need to take a machine and do a raw disk image of it (unused sectors and all) for a forensic type investigation if necessary. The problem is, this machine has a locked case, and the key has been lost. It is bootable to a CD or the hard disk. I don't want to install something on the machine itself, in order to prevent tainting the disk. I need to find a way to do a raw disk image of this machine across the network to my server. I have googled and tried several things (Active@, Ultimate Boot CD for windows) but none have worked. Any suggestions out there? Thanks!
Write your own :) It can be written in an hour into assembly :) For windows download cs.exe from this list[^], start command prompt and execute cs.exe with following parameters (but don't copy this, it's only an example): cs.exe -i \\.\PHYSICALDRIVE0 -o "D:\harddiskcopy.bin" -b 0 -e 0 -s [SIZE_OF_HDD_IN_BYTES] -p 32768 For -i and -o values see this: Create File() function[^] and for the number check disk management in windows. -b is the offset in the file/device/volume specified by -i from where the copy reading process will begin (0 = begining) -e is the offset in the file/device/volume specified by -o from where the copy (OVER)WRITING will begin (0 = begining) -s is the size in bytes that would be copied -p is the number of bytes that will be copied (program reads -p [number] bytes into memory and then writes them to the destination and loops until -s [number] bytes reached) Hope that helps, but be careful, that can read and write to harddisk so you can erase the harddisk if you specified it in -o :)
-
I need to take a machine and do a raw disk image of it (unused sectors and all) for a forensic type investigation if necessary. The problem is, this machine has a locked case, and the key has been lost. It is bootable to a CD or the hard disk. I don't want to install something on the machine itself, in order to prevent tainting the disk. I need to find a way to do a raw disk image of this machine across the network to my server. I have googled and tried several things (Active@, Ultimate Boot CD for windows) but none have worked. Any suggestions out there? Thanks!
Try HDCLone