In my last technical tip, I explained how to create an exact bit-image copy of a live server using the open source tool DD. That approach is particularly useful for incident response purposes where you want to preserve evidence (the state of the computer) before, or in lieu of, any corrective actions. The result of this process is, obviously, an image of one or more disk drives. The remaining question is: now what?
For incident response situations you may want to examine that image with a forensic tool. Almost every forensic tool will read a DD image; it's a defacto-standard alongside Guidance Software's Encase format. Some of these products are The Sleuth Kit /Autopsy (open source), Encase, Forensic Toolkit (FTK), Nuix Forensic Desktop, Paraben P3 Explorer, and a slew of other products ranging from free to very expensive. Access Data offers a standalone imaging product for Windows that will create DD and Encase-formatted disk images, also dumping memory to a file if needed.
Beyond forensic examination there are many other ways to examine and use the DD image you created. You could also convert the DD image into a VMware image and then start it as a virtual system using the open source Live View application. Additionally, you could mount the image from any Linux distribution and explore it as though it were a physical drive. If you don't have Linux installed somewhere you could boot from a live CD, such as Ubuntu, and then mount the image. You can mount a Windows NTFS-formatted drive from Linux, although not every distribution will have that support enabled by default. To load an image file you need to use mount in loop-back mode. You also probably want to use read-only (ro) mode. Keep in mind that your image was probably an image of a physical disk which itself contains one or more partitions. The drive image does not have a file system, the partition within does. You can use a tool such as sfdisk or fdisk to view the partitions and then mount the partition(s) you are interested in. This post on the Ubuntu forums shows someone going through this process.
Lastly, you can also take the image and apply it to a hard drive. This is a simple process identical to the imaging process but reversing the input file (if) and output file (of). To write the contents of my_image.dd to the device /dev/sdc you would run the command:
|dd if=./my_image.dd of=/dev/sdc|
That will, of course, overwrite the contents of the drive /dev/sdc so be sure to use the correct drive. An interesting, but unrelated, use of DD is to overwrite a hard drive with random data. There are many other ways to do that, but dd on a Linux system can do it too. The following command would write the pseudo-random output of /dev/random onto the drive "dev/sdc:"
|dd if=/dev/urandom of=/dev/sdc|
Hopefully this gave you a few useful ideas of what to do with a DD-formatted bit image of your Windows or Linux server. Be cautious downloading software from the Internet -- the links I provided are safe as far as I know, but that can change in an instant.
More incident response resources
How to create a bit-image copy of a live server: Part of your incident response plan should include the creation of a bit image copy of a live server. Free and open source tools are available to simplify this process.
Acceptable use policy for Internet usage helps data protection efforts: Acceptable use policies are an inexpensive, yet effective, control in limiting exposure to data breaches.
Tom Chmielarski is a senior consultant with GlassHouse Technologies, Inc.
Send comments on this technical tip to firstname.lastname@example.org