Insert the thumbdrive to the powered-down system. Boot from
F-Secure Rescue CD and let it initialize until the screen presents the choice
to continue or restart the computer.
Alt-F2 to switch to the console.
List all available drives with the
fdisk -l command. Use the sizes of the disks
to pick out the thumbdrive.
Mount the thumbdrive with the
mount %devicename% command where
%devicename% = the name of the thumbdrive.
Name of thumbdrive:
Use the following command to dump the MBR, which is usually (but
not always) the first sector of the
dd if=%device_name% of=%filename% bs=512
%device_name% = name of the device and
%filename% = name of the output dump.
Copy the dumped information to the thumbdrive with the following
cp %name of output dump% %file on thumbdrive%.
You can determine the path to the thumbdrive by typing the
df command and noting the relevant entry in
mounted on column.
Example:cp /tmp/mbr_disk /media/shc1/mbr_disk
Use an uncompromised machine to submit all the dumped files to
F-Secure via the
Sample Analysis System , along with any
relevant details. The dumped files may also be sent in as an attachment to a
reply for an existing SAS case.