Re: raw disk access

To: DebianSecurity <debian-security@lists.debian.org>
Subject: Re: raw disk access
From: Andrew Sayers <andrew-list-debian-security@ccl.bham.ac.uk>
Date: Wed, 8 Jan 2003 04:16:58 +0000
Message-id: <[🔎] 20030108041658.GA8878@nautilus>
Mail-followup-to: DebianSecurity <debian-security@lists.debian.org>
In-reply-to: <[🔎] 1041995302.6379.49.camel@cartman.veeev.net>
References: <[🔎] 1041995302.6379.49.camel@cartman.veeev.net>

What you're asking for is trivially available on all Linux systems.

Through the "/dev" filesystem, the kernel makes many hardware devices
available to ordinary programs.  For example, if you had mounted your
target disk as the secondary master hard drive, you could create an
image of the disk by doing:

cp /dev/hdc ~/disk-image

Or search a floppy disk for intelligible-looking strings:

strings /dev/fd0 | less

Note: speaking from experience, it's *very* important to pipe the
results to less - you wouldn't believe how many false-positives you get
in 1.44MB of data :)

You could also make an image of a single partition and mount the image:

fdisk -l /dev/hdb
	(to examine the partition table)
cat /dev/hdb1 > ~/disk-image
mount -o ro,loop ~/disk-image /mnt/misc

It is traditional to use "dd" for direct hardware access because it
supports even very complex operations - e.g. to look for text between the
27th and 33rd megabyte from the fourth partition of a SCSI disk, logging
your output to "logfile", do:

dd if=/dev/sda4 bs=1M skip=27 count=6 | strings | tee logfile | less

It's a common trick to backup a system by pointing tar straight at a
device:

tar jcvvf /dev/tape /home/*

The program "file" (yes, it is a confusing name) can be used to diagnose
many common file formats, though you have to trick it into looking
beyond the fact that it's looking at a device instead of a normal file:

cat /dev/cdrom | file

If you intend to examine ext2 filesystems which have had files recently
deleted, you should look at 'debugfs', and the various
undeletion-related HOWTOs available from the LDP.

Of course, the other side of the forensic coin is also well represented
under Linux.  To destroy a file with little or no trace, do:

shred <filename>

The "/dev" filesystem is an example of the general Unix philosophy that
"everything is either a file or a process".  This simple, universal rule
makes it possible to use the full range of standard Unix tools
everywhere - for example, I can use "cat" record sound from my
microphone and (using inetd) I can create a message-of-the-day server
with "echo" :-)

This simplicity even extends to the source-code level.  If you do choose
to write your own tools, you need only open a device like any other
file.  The only thing you need to know is that some devices are
"character special files", which means that they can't be randomly
accessed (e.g. it makes no sense to seek to the 5th byte in /dev/mouse).

Good luck!

	- Andrew Sayers

Attachment: pgpFSOOWGPjHj.pgp
Description: PGP signature

Reply to:

Follow-Ups:
- Re: raw disk access
  - From: Dale Amon <amon@vnl.com>

References:
- raw disk access
  - From: viv <viv@veeev.com>

Prev by Date: Re: raw disk access
Next by Date: Re: ssh and lastlog
Previous by thread: Re: raw disk access
Next by thread: Re: raw disk access
Index(es):
- Date
- Thread