using DD to image a disk over SSH

What I like to do is log into the remote server and run “watch -n 1 iptables –list -v -n” to watch the byte count to give you an idea of how much data has been passed already. of course you’ll have to start iptables first if it isnt running.

via using DD to image a disk over SSH | daverdave.com.

This is pretty useful too.  I couldn’t do this using sshfs so googled and found that regular ssh works.  I do not like to image disks with disks running other than the one being imaged.  I find it too dangerous that a single mistype could wipe out a functioning disk.  Doing this over a nework seems much safer.  Here’s the command I used from the linked to article:

ssh desthost.domain.com “dd if=/dev/sda” | dd of=/dev/sda bs=1024k conv=notrunc,noerror

The destination host feeds the image.  The host that runs this command is a Knoppix live boot with the only HD running being the one being written to.  I suppose if I were to do this a lot then a dedicated image machine might prove useful with an HD to store the images and some OS and a burn HD in a hot swap slot.  The HD with OS and images would be expendible in that an accidental overwrite would be a mere inconvenience instead of actual loss of data.

Mount dd images in Windows

Tools for OSForensics – OSFMount – Mount dd images in Windows.

OSFMount allows you to mount local disk image files (bit-for-bit copies of a disk partition) in Windows with a drive letter. You can then analyze the disk image file with PassMark OSForensics™ by using the mounted volume’s drive letter. By default, the image files are mounted as read only so that the original image files are not altered.