Imaging PCs for Offline Analysis

This is going to be a technical post with requirements for access rights that most people do not have, so it can be ignored. The intention is to file this information in a place that can be widely seen for the benefit of others needing this information.

In some circumstances, it can be helpful to “clone” a hard disk to a file image that can be used independently of the machine itself. This list of actions indicates how it can be done in the UoP environment :-

  1. Make some firmware changes :-
    1. Turn off ‘Secure Boot’
    2. Enable ‘Network Booting’ (not sure why it’s ever disabled)
    3. Enable “Legacy booting” (as many ipxe recipes require it)
  2. Turn off BitKeeper encryption (an encrypted blob is tricky to analyse) :-
    1. Start → Control Panel → System and Security → BitLocker Drive Encryption
    2. Select drive, and “Turn Off BitLocker” (presumably needs admin)
    3. One turned off, the laptop becomes toxic and must remain on site in a physically secure environment.
  3. Perform the imaging :-
    1. Boot off the network (PXE)
    2. Continue to the iPXE menu and (currently) the testing menu.
    3. Select “Ghost for Linux” (either 1 or 2)
    4. Go through the wordage and select backup to a local filesystem – turn
      off compression (the default of “lzo” is rather useless and the usual destination performs compression transparently).
    5. Start an sshfs (sshfs username@148.197.8.78:)
    6. Create an image name – YYYYMMDD-description.img
    7. Start the backup
    8. Restore firmware settings.
  4. Turn BitLocker encryption back on.

This entry was posted in Technical and tagged . Bookmark the permalink.

Leave a Reply