From: Estes, Matt CPR / FCBS [Matt.Estes@eis.army.mil] Sent: Monday, June 03, 2002 9:45 AM To: forensics@securityfocus.com Subject: RE: DD -> Netcat NT Imaging Thanks for all the responses... Imaging Security: Yes, netcat pumps all those bits in the clear, to prevent interception... 1.) Disconnect host machine from LAN and use a private hub, might be a good idea if you suspect compromise regardless. Thanks Jesse. 2.) As Shawn said, use cryptcat. > Perhaps an alternative to nc is cryptcat > to add > encryption of the data passed over the network. Dangers of dd (aka. Delete Drive)... It only takes one typo to ruin an entire drive with dd (like dd of=\\.\C: instead of dd if=\\.\C:). I'm using two unused partitions for testing. Imaging a drive... Replacing "if=\\.\C:" with "if=\\.\PhysicalDrive0" on the windows side. Thanks for the info from Mr. Syring... and thanks for porting this dd.exe. Replacing "of=/dev/hdb1" with "of=/dev/hdb". Again, dd is dangerous and now your entire drive is vulnerable to a typo, and not just one unused partition. I have NOT tested this. Other Stuff: I'm using netcat 1.10 on the windows side (latest from @stake's website) and 1.10 on the linux side. I never could get to trinux... maybe someone upstream from me has issue with Trinux :-). ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com