As part of incident response, a technician is taking an image of a compromised system and copying the image to a remote image server (192.168.45.82). The system drive is very large but does not contain the sensitive data. The technician has limited time to complete this task. Which of the following is the BEST command for the technician to run?
A. tar cvf – / | ssh 192.168.45.82 “cat – > /images/image.tar”
B. dd if=/dev/mem | scp – 192.168.45.82:/images/image.dd
C. memdump /dev/sda1 | nc 192.168.45.82 3000
D. dd if=/dev/sda | nc 192.168.45.82 3000
Correct Answer: D