SIFT

NBD Server

Bug #1259800 reported by Erik Kristensen
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
SIFT
Fix Released
Undecided
Unassigned

Bug Description

> Hello,
>
> Sorry for the long post but this may help someone.
>
> NBD runs fine on SIFT 2.14 and also allows you to connect RO to remote RAM (with the GRR Mem driver) as well as remote partitions. Here's how I did it:
>
> 1. Install the ndb-client software in SIFT 2.14 using the synaptic package manager
>
> 2. Open a terminal, sudo</x> su, and then modprobe nbd
>
> 3. SIFT is now ready to connect to a remote nbd device.
>
> 4. Download nbdserver.exe from https</x>://github.com/jeffbryner/NBDServer(https://github.com/jeffbryner/NBDServer)
>
> 5. Download winpmem-1.4.1.zip from http://code.google.com/p/volatility/downloads/list
>
> 6. Put those on the remote system, unpack, and launch the nbdserver with admin privilege and ensure it's not blocked.
>
> 7. To share partition 1 (-n1) only with SIFT located at 192.168.171.130 open an administrator command prompt window and type: NBDServer.exe -c 192.168.171.130 -f \\.\PHYSICALDRIVE0(file://\\PHYSICALDRIVE0) -n1
>
> 8. Alternatively, you can type: NBDServer.exe -c 192.168.171.130 -f\\.\C:
>
> 9. Note- by default this connection takes place via PORT 60000; to specify a different port use -p <XXXXX>
>
> 10. If you want to simultaneously connect to RAM then you must use a different port (50000 for example).
>
> 11. First launch the driver; type: winpmem_1.4 -l
>
> 12. Then type: NBDServer.exe -p 50000 -c 192.168.171.130 -f\\.\pmem
>
> 13. Back on your SIFT: connect to the remote partition by typing in # nbd-client xxx.xxx.xxx.xxx 60000 /dev/nbd0
>
> 14. Connect to the remote RAM by typing # nbd-client xxx.xxx.xxx.xxx 50000 /dev/nbd1
>
> 15. Mount the remote partition RO: # mount -o ro,show_sys_files,streams_interface=windows /dev/nbd0 /mnt/windows_mount
>
> 16. On my Windows host forensic system, I now map my Drive Z: to the SIFT's shared "/mnt" folder so I can run any tool against /mnt/windows_mount data
>
> 17. To disconnect type # umount /mnt/windows_mount, followed by # nbd-client -d /dev/nbd0
>
> 18. To connect to the remote RAM and then image it type: #nbd-client xxx.xxx.xxx.xxx 50000 /dev/nbd1 , followed by # dcfldd if=/dev/nbd1 bs=1024 of=/<path>/mem.dd
>
> 19. To disconnect form RAM as descrived above.

Erik Kristensen (unhandledexception)
Changed in sift:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.