Linux dd - Forensic Copy

Linux 'dd' basics

 
 

Linux dd can be a powerful and flexible tool to have in your box.

You will find it installed by default on the majority of Linux distributions available today and it can be used for a multitude of digital forensic tasks, not least of which is providing a simple means of obtaining a raw image of a file, folder, volume or physical drive. It has a simple, relatively intuitive syntax and a useful set of options to extend its basic capabilities.

On the negative side it does not give any feedback to the user when it is launched, has no error checking by default and perhaps most importantly can be very destructive if you get things wrong, earning it the nickname of "Data Destroyer" (dd) over the years.

As always, read the man pages before you use it [# man dd] and fully test the processes in a safe environment before letting it loose on a job that really matters.

The basic dd syntax is as follows:

# dd if= of= bs=

("if" being "input file" and "of" meaning "output file").

(bs= is actually one of the options that I mentioned above. If you don't include it dd will use a default byte size of 512. The byte size is usually some power of 2, not less than 512 bytes. For example: 512, 1024, 2048, 4096, 8192, 16384. It can however, be any reasonable number). Personally I always set the byte size manually so that I know exactly what is going on with the process that I am running.

It should be easy to work out from the basic command that "if=" is the data being read whilst "of=" is where the data is being written to. It should also be obvious that if you reverse the source and target entries by mistake, you can potentially overwrite your source with your target. In real terms this can mean filling the contents of your suspect drive with all of the zeros from your sanitized evidence drive. Of course, if you have your suspect drive attached through a write blocker as I previously suggested you should be protected to a certain extent from this kind of error. The main thing is to take care with your data entry and get the syntax right before you hit the return button.

If you are wondering what I mean by sanitized evidence drive, it is simply the process of wiping and formatting a drive prior to writing new evidence to it. You should always make sure that you start any investigation in this way so that the danger of residual data on your target drive corrupting your evidence is removed. You can use "dd" to do this using this command:

# dd if=/dev/zero of=/dev/

This process will basically fill your target drive with zeros, overwriting any data as it goes. One pass should be enough although you can of course run it as many times as you like before re-formatting the drive. The byte size used in the example will be the default 512. You are free to choose any size you wish and may see reductions in processing times as a result of using a larger number. Experiment with different byte size entries on a spare drive and see what difference it makes. If time is not an issue, then just stick with the default.

Now that we have the basic syntax (# dd if= of=) we can see that what dd is doing is copying chunks of data from the source, in this example in the default 512 byte blocks, and writing that data to the target, which can be a file or another block device. So we now have a choice as to where, and how we store our forensic image. Lets say that we have an 80 GB hard drive that we want to image. You could send the output straight to a wiped and formatted drive, like this:

# dd if=/dev/ of=/dev/ bs=512 conv=noerror,sync

which produces a straight copy of the original.

You can write the output to a file:

# dd if=/dev/ of=/home/user/linux_image.dd bs=512 conv=noerror,sync

although in practical terms an 80 GB (uncompressed) file might be a little unwieldy to deal with, unless you then use dd again to write the file back to a clean disc (again a straight copy):

# dd if=/home/user/linux_image.dd of=/dev/ conv=notrunc,noerror

Which simply writes the contents of linux_image.dd to your target device.

You will have no doubt noticed that I have introduced several new switches using the conv= (conversion) option on the back of the command. These are very important additions that I had already alluded to in paragraph 3 above. These switches turn on various forms of error checking within the dd command. By default dd will happily copy out data until it locates a sector or block on the source device that it can't read. Then it will just stop what it is doing and you won't have a full image. Using conv=noerror,sync will adjust this behaviour so that dd will pad the bad sectors with zero characters and then carry on copying the rest of the data that it can read. The second part of the switch, sync provides the zero padding and also ensures that the sectors on the target device are aligned with those from the source device, thus ensuring an accurate replication of the original media. notrunc simply tells dd to keep copying to the end of the target device rather than truncating the image early.

There are a number of other useful switches within dd. Open up # man dd to see an explanation of them all.

There is just one more area that I want to cover briefly before I move on and that is splitting images into manageable size files using dd and a unix tool appropriately called split. To do this on the fly using dd you simply have to pipe the dd if= through the split command like this:

# dd if=/dev/ | split -d -b 2000m - image.split.

I intend to talk about splitting images in a later post so won't elaborate too much here. Suffice to say that the above command takes standard output from the dd command and pipes it as standard input to the split command. The result (in this case) is a series of 2 GB files, in the current directory, that will be named 'image.split.01', 'image.split.02' and so on.

As I say, there will be a more detailed look at this technique in later posts. For now just get used to the difference in syntax from a standard dd operation (i.e. no of= string).

Well, that's a brief overview of Linux dd, it should certainly be enough to get anyone started with the basics of using it as a forensic tool. As always I would advocate further reading (man dd) and of course a Google search will throw up a good amount of reference material.

 
 

 
 

--

 
 

Reprinted with permission from PC-Eye (Digital Forensics)

 
 

Pasted from <http://www.forensicfocus.com/linux-dd-basics>

 
 

RDP Remote Desktop - troubleshoot

Port 389

Troubleshoot

• VPN connected?
  
• Firewall on?
  
• Port number using? Standard or has a : and port #?
  
• Registry area:
  
• http://support.microsoft.com/kb/306759
  

  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber
  

   
   

  Pasted from <http://support.microsoft.com/kb/306759>
  

   
   

   
   

 
 

Alta - Greg Ease - port 12000

Blackberry

Log on to server: bseadmin

D11d6 or admin password

 
 

Troubleshooting server - try restarting the services.

• See what users are connected and the last time they were contacted.
  

 
 

Blackberry redirector needs this open non firewall

 
 

On the desktop: Blackberry Manager

• To configure what sync's when you connect the blackberry
  
  • Intellasync
    
    • Configure PIM (personal Information Manager)
      
    • Delete any things that you don't want to sync (Paul Delano's personal contacts)
      
    • Add anything that you want to sync (public contacts)
      
  • Can also edit signature
    

     
     

  On the Blackberry device
  

• Settings
  
  • Options
    
    • Advanced options
      
      • Enterprise activation
        
        • Check for activation status
          

         
         

  Blackberry Server
  

• Log in as: semadmin and d11d6
  
• Blackberry Manager
  
  • Delete user and add again
    
    • Or - attach device to server using USB
      
    • Assign device
      
    • Resend IT Policy
      
    • Restart device
      
    • Watch for the multi-directional arrows
      

Outlook calendar - Copy

Subject	calendar
From	Steve Marks
Sent	Thursday, September 25, 2008 10:27 AM

 
 

Copy your Outlook Calendar with scheduling information

1. To show the Folder List, on the View menu, click Folder List.
   
2. Right-click Calendar, and click Copy "Calendar".
   
3. In the Copy Folder dialog box, select a folder to copy your calendar to, such as Drafts, and then click OK.
   This copy of your calendar now contains all your scheduling information, in addition to your calendar formatting.
   
4. Rename your copy, and then drag it to Calendar.
   

   Copy your Outlook Calendar with scheduling information
   

5. To show the Folder List, on the View menu, click Folder List.
   
6. Right-click Calendar, and click Copy "Calendar".
   
7. In the Copy Folder dialog box, select a folder to copy your calendar to, such as Drafts, and then click OK.
   This copy of your calendar now contains all your scheduling information, in addition to your calendar formatting.
   
8. Rename your copy, and then drag it to Calendar.
   

    
    

   May have to modify permissions to copy to public folder
   

• Exchange manager and make person an editor
  
• Also, make owner of their calendar
  

How to log onto to Stephen's computer

1. Download Filezilla
   
2. http://filezilla-project.org/download.php
   

    
   

    
    

   FileZilla - Client Download
   

   http://filezilla-project.org/download.php
   

   Screen clipping taken: 9/28/2008, 2:03 PM
   

    
    

    

3. Run Filezilla
   

    
    

   
   

    
    

   Screen clipping taken: 9/28/2008, 2:09 PM
   

    
    

4. The host is: themarksfamily.myphotos.cc
   
5. Username: gary
   
6. Password: themarksfamily
   
7. Press Quickconnect
   

 
 

 
 

 
 

Screen clipping taken: 9/28/2008, 2:11 PM

 
 

 
 

 
 

 
 

 
 

 
 

 
 

The pictures on my computer are here.

 
 

 
 

Screen clipping taken: 9/28/2008, 2:15 PM

 
 

1. You can also put files into my computer by dragging files from your computer to mine. You can right click on my computer and choose to create a new directory to put any new photos into.
   

Your computer.

Select the photos you want and drag them over to your computer.

 
 

The files that you have dragged will cue up and

Begin downloading. This will use a lot of

Bandwidth.

Firewall Setup

Comcast Business

• The modem has its own IP address. Point the firewall to the modem's IP, not the public IP.
  

 
 

ON Buffalo: For VPN, have to open GRE port 47 as well as PPTP port 1723.

 
 

 
 

 
 

 
 

SonicWALL - Administration for 0006B139C3F0

http://10.0.0.254/main.html

Screen clipping taken: 9/29/2008, 9:29 AM

 
 

BUFFALO

 
 

 
 

 
 

server.lakeproperties.local - LogMeIn

https://server-lakeproperties-local-matuenbvyq.app03.logmein.com/main.html

Screen clipping taken: 9/29/2008, 9:34 AM

 
 

 
 

Only if secure mail

 
 

Not usually

 
 

If SBS and hosting Exchange

 
 

 
 

Edit Rule

http://10.0.0.254/editRule_1.html

Screen clipping taken: 9/29/2008, 9:31 AM

 
 

 
 

 
 

Secure Mail

 
 

For VPN, along with PPTP

How to access the internet and your desktop computer

• Restart the computer
  
  • It should connect to the internet automatically and your Internet Explorer will open
    

     
     

  • Minimize Internet Explorer
    

     
     

  • Click this icon to log onto Dicor (VPN)
    

    
    

     
     

     
     

  • Click this icon to log onto your desktop
    

    
    

 
 

Randy,

 
 

I have set up windows and your anti-virus. When you want to access your computer at work, follow the directions below.

 
 

• Click this icon to log onto Auspro (VPN)
  

  
  

   
   

   
   

• Click this icon to log onto your desktop
  

  
  

   
   

 
 

Screen clipping taken: 9/24/2008, 11:12 AM

 
 

 
 

Blackberry

Show Hidden Icons - Hold down Alt Key and press track ball. Choose show all

Setup up icon is a briefcase with 4 arrows

Windows 98 - join domain

Just create the account in AD and then enter username, password and domain

Transfer Profile when joining new domain

• Reset local admin password to no password
  
• Log in as local admin
  
• Join the computer to the new domain
  
  • Restart computer
    
  • Make sure that user's domain account has local admin rights or this fails
    
• Rename user's profile to .old
  
• Log in user's domain account (make sure created in AD first)
  
• Log out of user's domain account
  
• Log back in as local admin
  
• Rename new domain profile to .new, rename .old to whatever the login was before renamed .new
  

   
   

 
 

Trans

New Computer Setup

• WEP key
  
• Password to old computer
  
• Old Computer
  
  • Share profile
    
    • Manage | Shares | New share
      
  • Ipconfig to get IP
    
  • Log off as user | Log on as Admin
    

     
     

• New Computer
  
  • Join to domain
    
  • Log in as user -
    
  • Log out as user
    
  • Log in as Admin
    
  • Rename profile for user .old
    
  • Connect to old using IP
    
    • Run | \\192.168.0.10
      
  • Copy profile from other computer and name it the same as the ".old" profile
    
  • Log out as admin and back on as user
    
  • Open Outlook
    
  • Set up to use Exchange (must be logged in as user)
    
    • Set to exchange
      
    • Name of mail server (look at another email in active directory users and computers)
      
    • Users name (not log in)
      
    • Click the folder icon to see the Public folders
      

       
       

• INSTALL FILES
  
  • Look on the server for serial #'s and install files for Office
    
  • Trend is \\primesrv\ofcscan\AutoPccP.exe
    

     
     

• 
  When rebuilding windows
  
• Image the computer using Drive Image
  
• Copy Drivers using ______
  
• Copy down all Keys using magic Jellybean Keyfinder
  

No Boot

Try chkdsk - does wonders on no boot machines