Capturing image files

Details: Written by NX; Category: Articles; Published: 15 November 2020; Hits: 1163

So, let's talk about capturing disk files for recovery purposes. I mean, we all do backups right ? *cough**cough*

We'll be looking at bare metal imaging using dd, a Linux Live system, and Windows machines, including imaging to network shares
For this you'll need a Windows machine, with a share setup for anonymous / everybody access, and a static IP set up. You could use DHCP /Machinename, but it's easier to get to work with static, raw IP addresses setup.
You'll also need a Kali USB stick, for booting the machine you want to clone, and some files. And yes, this can be done using virtual machines, we'll get back to that later on.

First, download Kali, and make a bootable drive with it, so you have something to boot from. Make sure your destination server (The windows share), holds more space that the machine you're cloning, or else it won't work. How much ?, it depends. Round up to nearest 100 GB for good measure.

When you have the machine you want to clone, booted from the Kali USB Drive, pause, and listen for a moment. You do NOT mount the Windows drive from the live Kali instance !
If you're cloning to a Samba share, install cifs-utils and sshfs on the Kali live host.

apt install cifs-utils sshfs

Next we make a folder, for mounting the samba file system over the network, and last, we mount the remote file share, and start copying.

# make a share

mkdir /media/sambashare

#mount the server / remote share

mount -t cifs //10.0.0.32/share /media/sambashare -o user=Administrator,password=password

Here 10.0.0.32 is my IP for the server, yours will be different. I really suggest you don't use machinenames, but use IP for simplicitys sake, and for less troubleshooting.

When you got it all to work, let's make a snapshot of the drive.

There's a lot of ways to do that, here i'm using the dd command, since it's a buildin tool, and "good enough". It will be a bit slow, but it will get there, just give it time.
And do remember that Windows have at least two partitions, a boot and a system drive. So, we need to get them both in one snapshot.

First we try to identify the harddrive, for that use the lsblk command.

lsblk
NAME                                        MAJ:MIN RM   SIZE RO TYPE  MOUNTPOINT
sda                                           8:0    0 931,5G  0 disk  
└─sda1                                        8:1    0 931,5G  0 part  /media/nx/usbdisk
sdb                                           8:16   0 298,1G  0 disk  
└─sdb1                                        8:17   0 298,1G  0 part  /media

Here's a sample output to study. Notice it says sda and sdb, and under those it says sda1, and sdb1. There can be others, depending on how many partitions there are on the drive you want to copy.
The important thing here is, we need both the boot sector, and the system, and those likely are going to be sda1 and sda2, and the device is going to be sda, located in /dev/sda.

Remember our samba share is mounted at /media/sambashare. That's it, time to rock :)

dd if=/dev/sda of=/media/sambashare/capture.img bs=1M status=progress

the if parameter to dd is the harddrive device, with no partitions, to make sure it captures the whole drive. the of= is where we want to place the capture file, and what to call it. the bs parameter is blocksize, here one MB, and last, show status data. Note that the command only shows what have been copied, not how long it needs to finish.
That's it. It will take some time, but let it finish, and when you're done, you should have an image file of the entire harddrive.

Now comes the fun part. We try and restore it, and see if it works.
So, make a new virtual machine, giving it a large drive, and boot it from the Kali Live stick / Kali iso if you have one. Next install cifs-utils and sshfs onto the virtual Kali machine, and mount the samba share, like you did the last time.

Lastly we write the image back with simply switching the parameters to dd, using the sambashare for in, and the new empty drive for out.

dd if=/media/sambashare/capture.img of=/dev/sda bs=1M status=progress

Try and boot the new Windows machine you just made, it should be a complete clone of the old machine if everything worked out. But is there another way ?
Let's say we captured the image file to our workstation, and want to use it in VirtualBox. Can we do that ? Sure, and here's how. You have to convert the img file to VBox HDI format, using the VBoxManage command, like so.

VBoxManage convertfromraw --format VDI filename.img harddrivename.vdi

From there, it's a matter of making a new virtual machine, using the harddrive file you just converted, and boot into the machine. It should be a complete clone, and it should boot.

You could use something like CloneZilla to do it, and I would highly recommend it, if you're cloning multiple machines, since it can run in server mode, for capturing more machines at a time, and rollout to multiple clients at a time. But CloneZilla is actually using the same mechanism to do the work, it just features a custom iso, and a pretty gui, but the tools are more or less the same :)

Have fun :)

You have no rights to post comments

JComments

Search

Popular Tags

Latest Articles

Login Form

Capturing image files

EU e-Privacy Directive