Tuesday, January 22, 2008

Guillotine Steps and Conditions

Conditions:

Machine is On but Not Logged In.

Machine is On / Logged On / Not Running Encryption. (Bitlocker, Best Crypt…). (If running encryption make logical image immediately.)

You Have Physical Access to the Machine.

You Know What a Hard Drive Molex Cable Looks Like…

(Easiest Setup – the Computer Has a CD\DVD Drive and Empty USB Port …)

Steps:

  1. Open Cover to Computer to Access Hard Drive(s)
  2. Place a Knoppix Boot in the CD- Leave Tray Open (I used Damn Small Linux)
  3. Located Molex Power Cord to Hard Drive running OS.
  4. Pull Molex Cable from Hard Drive (If More then 2 Hard Drives - Consider Cutting Cables with Insolated Tools)
  1. Reset the Computer As Fast AS POSSIBLE. Use a Reset Button or Hit the “Off/On” Button. The Goal is get the Machine to Re-Boot to the Knoppix as Fast as Possible.
  2. Prior to the Re-Boot Insert the USB Drive to Capture Memory Dump (Format of USB: FAT32). Push in CD Tray if needed.
  1. Boot in Knoppix
  2. Boot Knoppix to Command Line (Option in Damn Small Linux is “dsl 2”).
  3. Mount the USB Drive (mount /dev/sda1).
  4. dd the Memory (for example if dd=/dev/mem of=/mnt/sda1/NAMEofDump.dd ) if=input file of=output file
  5. Unmount USB or Shutdown (shutdown –h now)
  6. Analyze DD with some Good Tools. (Like my RAM Enscript)

No comments: