Hi All,
I frequently find myself in the following situation.
Ediscovery request requires a full disk image. Target works from home or is otherwise in a bandwidth constrained area. Workaround is to ship and encrypted USB drive with FTK Imager Lite. I control the collection via screen sharing. For non-Windows boxes, I fall back on DD. When using DD, the target may temporarily change the root password so I can do something like this
ssh hostname@xxx.xxx.xxx.xx
sudo dd if=/dev/sda1 conv=noerror,sync bs=65536 | split -b 4400m - /media/MEDIALABEL/FILENAME.IMG
when I try this on a Intel Mac OSX, I keep receiving "resource busy" error which appears to refer to the source drive. I believe I tried to grab the volume rather than the physical device when this occurred.
Has anyone experienced this or have a better idea? This needs to be a painless as possible for the target, and it needs to be a live image I can control remotely. For example, letting the target put in a boot disk and drive the collection is not an option. Keep in mind this is for ediscovery where we have the cooperation of the target. We aren't in stealth mode.
Thanks!
First of all… dd on OSX is horribly broken and slow. I recommend using dcfldd (or similar).
Second… disks are named differently on OSX. From the terminal try "diskutil list". Also, when imaging i prefer to use the rdiskxx instead of diskxx. rdiskxx is the raw device and diskxx refers to the same device as a block device.