forked from jeffbryner/NBDServer
-
Notifications
You must be signed in to change notification settings - Fork 0
Network Block Device Server for windows with a DFIR/forensic focus.
License
GPL-2.0, Unknown licenses found
Licenses found
GPL-2.0
LICENSE
Unknown
COPYING
hznoob/NBDServer
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
Windows Network Block Device Server 2012 Jeff Bryner A DFIR/forensic take on nbdsrvr by Folkert van Heusden (http://www.vanheusden.com/windows/nbdsrvr/) Modified to 1) allow you to specify a whitelist IP address that can connect to the NBD Server 2) defaults to read only access to the partition 3) provide access to disk or memory 3) provide optional debug messages 4) compiles via mingw on windows .exe provided here is 32 bit, and runs on winxp, win7, win2008. Video Demo: http://www.youtube.com/watch?v=vKtCYtzteqw Usage: NBDServer.exe v3.0 -c Client IP address to accept connections from -p Port to listen on (60000 by default) -f File to serve ( \\.\PHYSICALDRIVE0 or \\.\pmem for example) -n Partition on disk to serve (0 if not specified) -w Enable writing (disabled by default) -d Enable debug messages -q Be Quiet..no messages -h This help text -f option supports names like the following: \\.\PHYSICALDRIVE0 raw drive partition access along with -n option \\.\C: volume access (no need for -n option) \\.\HarddiskVolume1 volume access (no need for -n option) afile.dd serve up the contents of 'afile.dd' via nbd. \\.\pmem access the pmem memory driver from volatility Example: Server at 10.200.1.12: #Start server at an administrative cmd.exe session: NBDServer.exe -c 10.200.1.1 -f \\.\PHYSICALDRIVE0 -n1 Client/Forensic workstation at 10.200.1.1: (http://nbd.sourceforge.net/) #initialize /dev device modprobe nbd nbd-client 10.1.1.2 60000 /dev/nbd0 #use dev device with any block-oriented tool: xxd /dev/nbd0 | head -n1 0000000: eb52 904e 5446 5320 2020 2000 0208 0000 .R.NTFS ..... 0000010: 0000 0000 00f8 0000 3f00 ff00 0008 0000 ........?....... #timeline generation with fls: fls -f ntfs -m / -r /dev/nbd0 | less #mount it if needed mount -t ntfs -o ro /dev/nbd1 /mnt/windows #unmount it umount /mnt/windows #disconnect nbd-client -d /dev/nbd0 #for Memory example see MEMReadme.txt
About
Network Block Device Server for windows with a DFIR/forensic focus.
Resources
License
GPL-2.0, Unknown licenses found
Licenses found
GPL-2.0
LICENSE
Unknown
COPYING
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published
Languages
- C++ 100.0%