NOTE: This technique is generally taken by the Cyber forensic guys who bother to take Image at the Crime scenes.
Sorry i am not providing any guiding pics for this because it is difficult to take the snapshots of the locked or dead system..!! :P
and please try this only when u are really in problem..don't make any one uncomfortable by your knowledge...!! remember one thing "knowledge brings responsibility..!! "
So here we go.....
1. First it is really necessary for this attack is that you get the physical access to the victim's machine.
2. It is must that you have a bootable linux pendrive with you...!! specially : backtrack or matriux.
3. get to your system and open the coomand prompt with the administrator right's.
open the port number in listening mode so that it is easy for you to connect to your own PC from the victim's.
commands:
nc -lvvp 1234 > image.raw
after this command your windows PC will start listening at port number 1234.
4. boot the victim's machine with your bootable linux pendrive
- insert the pendrive in the usb slot and restart the machine and get access to the boot menu and select the USB drive / USB device to boot from the pendrive
5.now when you are at the desktop of the bootable linux machine, open the terminal (command prompt in linux is named as the terminal).
6. type following:
- fdisk -l
this will list the available hard disks on the machines .
the output can be as follows:
root@bt~:# fdisk -l
sda1* or SDA A*
sdb2 or SDB A ....and like wise.
bother to select the SDA* because in most cases it is the default windows installation drive of the machine.
7. now follow the steps on the linux machine:
- goto menu
- select arsenal (for matriux)
- select the digital forensics
- acquisition
- finally select the automated image restore (AIR)
8. you will find the SDA tab at window click on it.
-you will get the new window
- select the partition tab there because we want to take the image of the c:/ drive because windows password is stored in there.
9. now you will get the list of the partitions there select the /dev/sdaX
X- the default number for the partition. eg: 1,2,3,4,5,6.
- don't provide the wrong number because it can corrupt your computer, make it sure that you had selected the right drive.
9. now copy the name of that file name and paste it in the source list.
10. similarly you will find an destination device details tab there provide the
-IP address and
-the port number i.e 1234 in our case.
11. select the drive as a destination which has enough space atleast double the space of the copying drive that is "C:\" in our case and we are making its image in "E:\" which is having double the blank space of the "C:\"
-note you can also use USB hard disk inplace of the "E:\"
12. Now click on the START button.
you will find the image copying bit by bit in "E:\".
13. after it completes restart the system and run away from the victim's machine.
14. get to your system boot it with linux pendrive and select the scalpel to extract the image of the victim's PC
- Scalpel is the software used to recover the files from the image files from the dead machines.!!
The End
Have Fun.....!!! :)
Comments
Post a Comment