Skip to main content

Table Of Contents

  • HARD DRIVE AND MEMORY ACQUISITION
    • WINDOWS
    • LINUX

HARD DRIVE AND MEMORY ACQUISITION

WINDOWS

Create memory dump remotely:

psexec.exe \\<HOST NAME OR IP ADDRESS> -u <DOMAIN>\<PRIVILEGED ACCOUNT> -p <PASSWORD> -c mdd_1.3.exe --o C:\memory.dmp

Extract EXE/DLL from memory dump:

volatility dlldump -f memory.dmp -D dumps/
volatility procmemdump -f memory.dmp -D dumps/

Create hard drive image using dc3dd of C::

dc3dd.exe if=\\.\c: of=d:\<ATTACHED OR TARGET DRIVE>\<IMAGE NAME>.dd hash=md5 log=d:\<MOUNTED LOCATION>\<LOG NAME>.log

LINUX

Create memory dump:

dd if=/dev/fmem of=/tmp/<MEMORY FILE NAME>.dd

Create memory dump using LiME:

wget https://github.com/504ensicsLabs/LiME/archive/master.zip
unzip master.zip
cd LiME-master/src
make
cp lime-*.ko /media/=/media/ExternalUSBDriveName/
insmod lime-3.13.0-79-generic.ko "path=/media/ExternalUSBDriveName/<MEMORY DUMP>.lime format=raw"

Make copy of suspicious process using process ID:

cp /proc/<SUSPICIOUS PROCESS ID>/exe /<NEW SAVED LOCATION>

Grab memory core dump of suspicious process:

gcore <PID>

Strings on gcore file:

strings gcore.*

Create a hard drive/partition copy with log and hash options:

dd if=<INPUT DEVICE> of=<IMAGE FILE NAME>
dc3dd if=/dev/<TARGET DRIVE EXAMPLE SDA OR SDA1> of=/dev/<MOUNTED LOCATION>\<FILE NAME>.img hash=md5 log=/<MOUNTED LOCATION>/<LOG NAME>.log

Create a remote hard drive/partition over SSH:

dd if=/dev/<INPUT DEVICE> | ssh <USER NAME>@<DESTINATION IP ADDRESS> "dd of=<DESTINATION PATH>"

Send hard drive image zipped over netcat:

# Sending host:
bzip2 -c /dev/<INPUT DEVICE> | nc <DESTINATION IP ADDRESS> <PICK A PORT>
# Receiving host:
nc -p <PICK SAME PORT> -l |bzip2 -d | dd of=/dev/sdb

Send hard drive image over netcat:

# Sending host:
dd if=/dev/<INPUT DEVICE> bs=16M | nc <PORT>
# Receiving host with Pipe Viewer meter:
nc -p <SAME PORT> -l -vv | pv -r | dd of=/dev/<INPUT DEVICE> bs=16M