-
October 3rd, 2004, 10:31 PM
#1
Report on DD
The national Institute of Justice conducted a report in 2004 to display the accuracy of the tool dd on freebsd(it's really the tool that matters, not the OS) for imaging disks and partitions..
It's a good report, and it essentially illustrates one thing.. STOP wasting money on costly forensics bit stream copy programs!
http://www.ncjrs.org/pdffiles1/nij/203095.pdf
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust
-
October 3rd, 2004, 11:35 PM
#2
Wow, great read hogfly...they definitely tested the crap out of dd!
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
-
October 4th, 2004, 03:52 PM
#3
thx for the find.. good read !!
I use dd for backups of whole partitions and even disks..
Realy easy.. and you can also do some very cool tricks with it !!
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
October 11th, 2004, 06:19 PM
#4
so how does one make a copy of a hard drive to examine using dd and netcat in windows. i dont find the help file helpful in this
Usage: dd [OPTION]...
Copy a file, converting and formatting according to the options.
bs=BYTES force ibs=BYTES and obs=BYTES
cbs=BYTES convert BYTES bytes at a time
conv=KEYWORDS convert the file as per the comma separated keyword list
count=BLOCKS copy only BLOCKS input blocks
ibs=BYTES read BYTES bytes at a time
if=FILE read from FILE instead of stdin
obs=BYTES write BYTES bytes at a time
of=FILE write to FILE instead of stdout, don't truncate file
seek=BLOCKS skip BLOCKS obs-sized blocks at start of output
skip=BLOCKS skip BLOCKS ibs-sized blocks at start of input
--help display this help and exit
--version output version information and exit
BYTES may be suffixed: by xM for multiplication by M, by c for x1,
by w for x2, by b for x512, by k for x1024. Each KEYWORD may be:
ascii from EBCDIC to ASCII
ebcdic from ASCII to EBCDIC
ibm from ASCII to alternated EBCDIC
block pad newline-terminated records with spaces to cbs-size
unblock replace trailing spaces in cbs-size records with newline
lcase change upper case to lower case
ucase change lower case to upper case
swab swap every pair of input bytes
noerror continue after read errors
sync pad every input block with NULs to ibs-size
i notice in helix there is a front end for dd listed is this any more intuitive?
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
October 12th, 2004, 12:13 PM
#5
Last year, we got a course in which we had to construct an automated backup-solution that was more flexible than products like Norton Ghost. We used a combination that was based on dd and UDP Cast. It was easy to set up, and the learning curve was minimal. And just as nice: it was plain fun to play with.
I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.
-
October 12th, 2004, 09:55 PM
#6
Originally posted here by Tedob1
so how does one make a copy of a hard drive to examine using dd and netcat in windows. i dont find the help file helpful in this
Usage: dd [OPTION]...
Copy a file, converting and formatting according to the options.
bs=BYTES force ibs=BYTES and obs=BYTES
cbs=BYTES convert BYTES bytes at a time
conv=KEYWORDS convert the file as per the comma separated keyword list
count=BLOCKS copy only BLOCKS input blocks
ibs=BYTES read BYTES bytes at a time
if=FILE read from FILE instead of stdin
obs=BYTES write BYTES bytes at a time
of=FILE write to FILE instead of stdout, don't truncate file
seek=BLOCKS skip BLOCKS obs-sized blocks at start of output
skip=BLOCKS skip BLOCKS ibs-sized blocks at start of input
--help display this help and exit
--version output version information and exit
BYTES may be suffixed: by xM for multiplication by M, by c for x1,
by w for x2, by b for x512, by k for x1024. Each KEYWORD may be:
ascii from EBCDIC to ASCII
ebcdic from ASCII to EBCDIC
ibm from ASCII to alternated EBCDIC
block pad newline-terminated records with spaces to cbs-size
unblock replace trailing spaces in cbs-size records with newline
lcase change upper case to lower case
ucase change lower case to upper case
swab swap every pair of input bytes
noerror continue after read errors
sync pad every input block with NULs to ibs-size
i notice in helix there is a front end for dd listed is this any more intuitive?
Tedob.
Grab is MUCH more intuitive because all you need to do is set the source drive. (note I said drive, NOT partition), set the destination /path/to/dd_file.img, make sure you have md5 configured, and let it rip. hmmm I should write a quick how to for that..but ugh I've been swamped lately. It also has dcfldd which is the gov's version of dd that md5's as it copies rather than at the end which is faster.
FYI
while on a windows box, pop in the helix cd and if you have autoplay turned on it will bring up a gui that will dd your disk to a machine that has a netcat listener running. Helix is not just a live cd, it's also a windows incident response toolkit
With dd on windows, you need to make sure you have dd for windows
This is another group of tools that I use...
http://users.erols.com/gmgarner/forensics/
He has examples at the bottom of the page.
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|