Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Manageable image sizes

from [KC Ferguson] Network Security [Permanent Link]
Subject: Re: Manageable image sizes
Date: Mon, 29 Nov 2004 17:06:34 -0600 (CST) 

<quote who="Nick Puetz">



I have been working recently with some large image sizes (over 20 GB) and
was curious if mmls was the best way to make these images more manageable.
 When working on a large image (using TSK), it can take quite a long time
to do a simple search for a key word.  I am thinking that dd could also be
used cut one large image into a number of smaller, more manageable images.
 Does anyone have any ideas surrounding this?  Thanks!


I found some helpful concepts over @Jammed:

Example 1: by James O. Holley
http://lists.jammed.com/forensics/2001/10/0076.html

# Imaging the 1st 600MB of the device into img.1
# bs=1048576 = 1MB
# count=600 counts 600MB into the image
# create a 600MB file called img.1
dd if=/dev/hdd of=/mnt/evidence1/img.1 bs=1048576 count=600
#
# skip the 1st 600MB  and then count the next 600MB into img.2
dd if=/dev/hdd bs=1048576 skip=600 count=600 of=/mnt/evidence1/img.2
#
# skip the first 2 600MB blocks and count the next 600MB into img.3
dd if=/dev/hdd bs=1048576 skip=1200 count=600 of=/mnt/evidence1/img.3
#
# continue to use skip and count to break evidence into 600MB chunks
dd if=/dev/hdd bs=1048576 skip=1800 count=600 of=/mnt/evidence1/img.4
dd if=/dev/hdd bs=1048576 skip=2400 count=600 of=/mnt/evidence1/img.5
dd if=/dev/hdd bs=1048576 skip=3000 count=600 of=/mnt/evidence1/img.6
dd if=/dev/hdd bs=1048576 skip=3600 count=600 of=/mnt/evidence1/img.7
dd if=/dev/hdd bs=1048576 skip=4200 count=600 of=/mnt/evidence1/img.8
dd if=/dev/hdd bs=1048576 skip=4800 count=600 of=/mnt/evidence1/img.9
dd if=/dev/hdd bs=1048576 skip=5400 count=600 of=/mnt/evidence1/img.10
#
# you have now imaged 6000 of the 1MB chunks
# end script for 10GB drive



Example 2: by Stanislav N Vardomskiy
http://lists.jammed.com/forensics/2001/10/0074.html

You can use dd and netcat to duplicate disks across the network.

Something like: On the destination system:
nc -l -p 1234 | dd of=/dev/rdsk/c1t1d0s2

on the system from which you are duping a disk:
dd if=/dev/rdsk/c7t0d0s2 | nc <ip of destination system> 1234





*** NOTE *** you can use any pipe you want... SSH, cryptcat, search
algorithm, raw device, etc...

-- 
Regards
KC Ferguson CIO/CTO
@RescuNET.com
eXtreme Response Mobile HotSpot

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Manageable image sizes, Brian Carrier
Next by Date:  RE: [htcia] RE: Keylogger case, Stephen Treglia
Previous by Thread:  Re: Manageable image sizes, Brian Carrier
Next by Thread:  Re: Manageable image sizes, Greg Freemyer
Indexes:  [Date] [Thread] [Top] [All Lists]