forensic

Security  vendor Trusteer's latest product will allow banks to remotely investigate their customers' computers if it is suspected the PC has been hacked. The service, called Flashlight, is designed to enable banks' security experts to quickly identify what types of malicious software programs customers are encountering in order to build better defenses, said Mickey Boodaei, Trusteer's CEO.

As hard drives are growing, dying or trying to evade us, the need for cloning disks are growing fast. There are many uses for cloning disks, including:

• forensics work - you need an exact copy of the drive in order to reconstruct the data
• backup - you need an exact copy of the drive in order to restore it when (not if) the drive dies, or the data is lost
• outgrowning the disk - the oh-so-big disk you got some years ago is stuffed and ready to explode
• stealing the content - you may want to copy the contents from someone else without their consent (this is illegal in most countries, mind you!)
• just for fun - learning how to do stuff, having fun.

Many other reasons may exist too, and whatever reason you have to copy your drive, I will explain how I clone disks easily and quickly, using a slave computer (a server with plenty of disk space), exposed to the network from where I want to copy the disk, and a Linux boot CD (I usually use a CF-card with my CF-card reader instead, as it is easily disguised as a photo holding card for my camera).

Pre Requisites:

• Master HD (this would be the Hard drive you want to clone/copy) I will use the HD on my X41 in this example, and I will not be removing it
• Laptop with a working network (I use a cabled network, due to speed and ease of configuration)
• A slave computer with plenty of disk, and connected to the network (preferably the same segment to save time, but could be over Internet if both systems have access, and your firewall is set up accordingly)
• Linux on the slave computer (use your preferred distro)
• Linux on a stick, CD or memorycard of some kind (Knoppix is a good one, but use your preferred distro)
• One, clean, fresh hard drive which is empty and ready (you will be cloning sector by sector, all content in once, wich may overwrite anything on that slave hard drive)

WARNING:

This How-to comes with no warranties WHAT SO EVER. Whatever you choose to do, whatever the results you get, is YOUR DOING ONLY, and Roer.com nor myself will accept NO LIABILITIES. You risk loosing all your data, you risk jail (if the data is not your own), you risk embarrasment. And you probably risk a lot more, but you have your own imagination to dream of that yourself. YOU HAVE BEEN WARNED.

Setting up the slave/server

Unless you have a Linux server (or workstation) running, go and set it up now. Make sure it is connected to the network, and that DD and Netcat is installed and available to you. Not sure how? Google is your friend!

With your server ready, open up a terminal and find your local IP address by your favorite method. I simpy issue ifconfig:

ifconfig and hit enter

And there I find my eth0 IP-address to be 192.168.0.99.

I will need to know this when I want to connect from the laptop later.

Next, I will tell my slave to set up netcat to accept connections on port 9901 (just pick a number, try to avoid the "popoular" ports like 80, 8080, 21 etc). This will be the door your slave will be expecting you to connect from your laptop. After the netcat command, I tube in the DD command, telling DD to use my device /dev/sdc (you make sure you know wich drive to use on YOUR setup. You can do that by using fdisk or parted or gparted etc. Not sure how? Google is still your friend!)

Command to issue in your terminal:

sudo su and hit enter

(this will give you root rights, wich you may need to issue the next commands. You may need to issue your password too).

nc -l -p 9901 | dd of=/dev/sdc and hit enter

The -l is to set up Netcat to listen, and -p is to tell it what port to listen on. The of switch of DD is to tell DD where to save the data. Google and MAN are great friends here.

NOTE: Please make sure that you use the RIGHT hard drive - in MY setup, I use sdc, but you may be using sdb or sda or any other drive.

Your slave is ready to take your data!

Setting up the master

Now that the slave is ready to take your data and save them to the disk, it is time to prepare your master drive - the hard drive you would like to clone. First, you need a startup device. You may use a live CD, a USB-Stick, floppy or any other means of booting that your computer accepts. In my case, the X41 comes without a CD/DVD reader, so I need to use a USB-device. I opt for my CF-Card and the card reader I have, and install Linux on it.

So boot from the startup device you created, with your favorite flavour of Linux.

When the computer is up and running, check that you have network access to the other (slave computer) by a simple ping. (I always do simple checks like these before I go on doing heavier stuff, to reduce the number of possible errors later).

Again, you want to know the address to your hard drive. You are free to use your tool of choice. fdisk is a friend:

fdisk -l and hit enter

The disk I want is /dev/sda (my x41 is a SATA system, giving my disk a SCSI address. A PATA drive would be /dev/hdX where X would be a letter).

Next thing to do is simply to issue the DD command, with a tube to Netcat. It looks like this:

dd if=/dev/sda | nc 192.168.0.99 9901 and hit enter

The if tells DD where to copy/clone from, and the nc statements are pretty self explanatory, I should think. The IP-address to the slave computer, and the port number we told it to listen on before.

Now all you need is to sit back and relax while the data (preferrably yours) are flying across the universe of bits and bytes!

Keep in mind that this may take some time. A lot of time, actually if you have some data. So go fetch a cup of coffee, grab lunch, or just go home and come back tomorrow.

Why would you need this?

DD over network is particularly interesting regarding forensics IMO. It is easy and quick to set up, you clone the disk byte by byte, so it will copy EVERYTHING, even if data has been tried erased. It also copies the data regardless of errors on the drive. And most importantly, it leaves the original hard drive untouched, so it can still be used as evidence if ever needed.

Another bonus is that having the clone, you can leave the owner of the hard drive working as normal, while you can examine the content in calmness.

You may also do the clone to a USB drive, which is faster. This comes in handy when on the road, or at a client location and your server has not been prepared. In my lab, on the other hand, I prefer to use the network.

Another use of this is to set up a clone of a system before you go about testing stuff. Like checking out how virus function, how hacker tools work etc.

And of course it is a great way to steal data. If you do not realize what is going on under your nose, someone might be copying drives at your place right now.

Restoring a copy

If you at some point need to restore your clone back to the orriginal hard drive, you simply do the same, just changing the roles of the two computers - making the slave into master, and the master to slave.

Comments? Ideas? Please share!