Back to Lucid IT

update:17/03/05

Methods of Data Transportation

This paper aims to show various ways to transport large quantities of data from one machine
to another, either for backups, data recovery or forensics work, this paper assumes
you are in a linux environment. I assume the reader is familiar with using the command line,
and has basic knowledge of tcp/ip and basic understanding of hard drive partition tables.

Taking an image.
This without doubt is the first and most important step of Forensic and Data recovery work,
if you take a binary image of a disk this includes all the "free" space where deleted
data is stored until something else overwrites it, this also means that you are not directly
working on the disk in question, if you are paranoid (like me) take two copies of the image,
and work on the 2nd copy, this way, if you make a mistake you can restart from the 1st image
without touching the original disk again.

There are a number of ways an image can be made:

1) Direct disk to disk, if you have direct access to the harddrive connected to an IDE controller.

Here is an example of a forensics workstation:

data recover # df -h
Filesystem Size Used Avail Use% Mounted on
/dev/hda2 4.5G 1.7G 2.6G 40% /
none 110M 0 110M 0% /dev/shm
/dev/hdb2 56G 3.7G 49G 8% /mnt/frns
/dev/sda1 37G 22G 14G 63% /mnt/usb
/dev/hda8 59G 6.3G 50G 12% /mnt/recover

In this case /dev/sda is a hard drive in a USB enclosure that we want to recover data from,
and /dev/hda8 is the drive we want to copy data to.

This is what the partition table looks like for /dev/sda

data recover # fdisk -ul /dev/sda
Disk /dev/sda: 40.0 GB, 40007761920 bytes
64 heads, 32 sectors/track, 38154 cylinders, total 78140160 sectors
Units = sectors of 1 * 512 = 512 bytes

Device Boot Start End Blocks Id System
/dev/sda1 32 78139391 39069680 83 Linux

If you only want the partition data from the disk and not actually the Partition table itself then
this command will do nicely:

dd if=/dev/sda1 of=/mnt/restore/sda1.data.img

alternatively:

cat /dev/sda1 > /mnt/restore/sda1.data.img

You could now examine the data in the image using the loopback device:


data recover # mount sda1.data.img /mnt/loop/ -o loop
data recover # cd /mnt/loop

If the drive you are trying to get an image from has serious errors you should use
dd_rescue, you may have mixed results with this, but I have had success with this tool.

For forensics work you will want to take the entire disk:

dd if=/dev/sda of=/mnt/restore/sda.data.img (partition table and all data on disk).

NOTE: If you take a full image (/dev/hda) you will need to use dd to copy out the data partition
of the image you made before you can mount it via loopback device.

2). Taking images across the network.

Lets just say, for whatever reason you do not have physical access to a computer, or
for some reason you cannot remove the drive for imaging, netcat (nc) is your friend!

This very useful tool written by HOBBIT, has many uses in the security field, we
will focus on the data transportation aspects of netcat.

The machine to image will need to be booted with something like knoppix (though any
linux bootdisk with netcat installed is fine).

On the destination host:

root@destinationhost# nc -l -p 5000 > nc.data.img

On Source host you want the image from:

root@sourcehost# nc -w 5 destinationhost 5000 < /dev/hda1

Once the image has been made you may want to verify it via the loopback using the methods
shown above.

If you are imaging the entire disk for forensic purposes you need to dd off the partitions
you want, this is beyond the scope of this paper, though you can find this information at:
http://www.sleuthkit.org/informer/sleuthkit-informer-2.html#split 

Another very excellent use for netcat, if you are only interested in the current data, you can
pipe tar into netcat and send the entire directory structure to another host this is done as
follows.

Destination host:

nc -l -p 5000 > directory.tar.gz
Source host:
mount /dev/hda1 /mnt/hda1
cd /mnt/hda1
tar cpvz * | nc -w 5 destinationhost 5000

You will then end up with a tarball called directory.tar.gz on the target host.

Instead of netcat you can also use ssh in the above example to get a tarball you could do:
ssh user@destinationhost "tar -jcvp ~/" > tarfile.tbz2

You will then end up with a tarball of the homedirectory of the users account you just used ssh to access,
you could take an image in a similar fashion:

ssh user@destinationhost "cat /dev/hda" > ssh.imagefile.img

SUMMARY:
While using the aforementioned methods for data transportation if you are doing
forensics make sure you also make an SHA1 or MD5 sum of both the drive you just
imaged and the image you made to prove that they are identical:

md5sum /dev/hda
md5sum data.img

NEVER mount the evidential drive in r/w mode, make two copies of the image, so you don't need
to revert to the original disk. I also recommend using sleuthkit for forensics analysis.

I hope you have found this paper useful, feedback, comments, suggestions welcome.

Written by Steve Foris

sf@lucidit.co.nz

See also:

sleuthkit  http://www.sleuthkit.org/sleuthkit/

Foremost  http://foremost.sourceforge.net/

magicrescue  http://jbj.rapanden.dk/magicrescue/

dd_rescue  http://www.garloff.de/kurt/linux/ddrescue/

netcat  http://www.securityfocus.com/tools/137