NBDServer

NBDServer copied to clipboard

Windows Network Block Device Server 2012 Jeff Bryner A DFIR/forensic take on nbdsrvr by Folkert van Heusden (http://www.vanheusden.com/windows/nbdsrvr/)

Modified to

1. allow you to specify a whitelist IP address that can connect to the NBD Server
2. defaults to read only access to the partition
3. provide access to disk or memory
4. provide optional debug messages
5. compiles via mingw on windows

.exe provided here is 32 bit, and runs on winxp, win7, win2008.

Video Demo: http://www.youtube.com/watch?v=vKtCYtzteqw

Usage: NBDServer.exe v3.0 -c Client IP address to accept connections from -p Port to listen on (60000 by default) -f File to serve ( \.\PHYSICALDRIVE0 or \.\pmem for example) -n Partition on disk to serve (0 if not specified) -w Enable writing (disabled by default) -d Enable debug messages -q Be Quiet..no messages -h This help text

-f option supports names like the following: \.\PHYSICALDRIVE0 raw drive partition access along with -n option \.\C: volume access (no need for -n option) \.\HarddiskVolume1 volume access (no need for -n option) afile.dd serve up the contents of 'afile.dd' via nbd. \.\pmem access the pmem memory driver from volatility

Example:

Server at 10.200.1.12: #Start server at an administrative cmd.exe session: NBDServer.exe -c 10.200.1.1 -f \.\PHYSICALDRIVE0 -n1

Client/Forensic workstation at 10.200.1.1: (http://nbd.sourceforge.net/) #initialize /dev device modprobe nbd nbd-client 10.1.1.2 60000 /dev/nbd0

#use dev device with any block-oriented tool: xxd /dev/nbd0 | head -n1 0000000: eb52 904e 5446 5320 2020 2000 0208 0000 .R.NTFS ..... 0000010: 0000 0000 00f8 0000 3f00 ff00 0008 0000 ........?....... #timeline generation with fls: fls -f ntfs -m / -r /dev/nbd0 | less #mount it if needed mount -t ntfs -o ro /dev/nbd1 /mnt/windows #unmount it umount /mnt/windows
#disconnect nbd-client -d /dev/nbd0

#for Memory example see MEMReadme.txt