Commands to image Netscaler device: dd if=/dev/md0 | gzip -1 - | ssh user@[IP address] dd of=/[fullpath]/md0.gz dd if=/dev/ad0s1a | gzip -1 - | ssh user@[IP address] dd of=/[fullpath]/ad0s1a.gz dd if=/dev/ad0s1b | gzip -1 - | ssh user@[IP address] dd of=/[fullpath]/ad0s1b.gz

Note: You may need to run “mount” or “df -h” commands because the partition names (e.g - ad0s1b) may vary slightly across versions and need to be updated per command.

Mounting a FreeBSD forensic image isn’t trivial. @hal_pomeranz has a great @sansforensics write-up that should help walk you through the steps in your forensic tool of choice digital-forensics.sans.org/b…