Skip to content
Network Block Device Server for windows with a DFIR/forensic focus.
Branch: master
Clone or download
jeffbryner Merge pull request #10 from Beercow/master
Fix for blue screen issues.
Latest commit 952d7ef Mar 31, 2017
Type Name Latest commit message Commit time
Failed to load latest commit information.
COPYING initial commit Oct 21, 2012
LICENSE add license Aug 30, 2015
MEMReadme.txt Updated memory readme for new winpmem release Mar 13, 2013
Makefile.linux Merge branch 'master' of into writ… May 14, 2013 corrected handling of \\.\C:, HarddiskVolume1, etc filenames Nov 8, 2012
NBDServer.exe Updated executable Mar 31, 2017
NBDServer.layout corrected handling of \\.\C:, HarddiskVolume1, etc filenames Nov 8, 2012
main.cpp Fix padding/blue screen issue Mar 31, 2017


Windows Network Block Device Server
2012 Jeff Bryner
A DFIR/forensic take on nbdsrvr by Folkert van Heusden (

Modified to 
1) allow you to specify a whitelist IP address that can connect to the NBD Server
2) defaults to read only access to the partition
3) provide access to disk or memory
3) provide optional debug messages
4) compiles via mingw on windows

.exe provided here is 32 bit, and runs on winxp, win7, win2008.

Video Demo:

NBDServer.exe v3.0
 -c     Client IP address to accept connections from
 -p     Port to listen on (60000 by default)
 -f     File to serve ( \\.\PHYSICALDRIVE0 or \\.\pmem for example)
 -n     Partition on disk to serve (0 if not specified)
 -w     Enable writing (disabled by default)
 -d     Enable debug messages
 -q     Be messages
 -h     This help text

 -f option supports names like the following: 
  \\.\PHYSICALDRIVE0    raw drive partition access along with -n option
  \\.\C:                volume access (no need for -n option)
  \\.\HarddiskVolume1   volume access (no need for -n option)
  afile.dd              serve up the contents of 'afile.dd' via nbd.
  \\.\pmem              access the pmem memory driver from volatility  


Server at
#Start server at an administrative cmd.exe session: 
	NBDServer.exe -c -f \\.\PHYSICALDRIVE0 -n1

Client/Forensic workstation at
#initialize /dev device
	modprobe nbd
	nbd-client 60000 /dev/nbd0

#use dev device with any block-oriented tool: 
	xxd /dev/nbd0 | head -n1
	0000000: eb52 904e 5446 5320 2020 2000 0208 0000  .R.NTFS    .....
	0000010: 0000 0000 00f8 0000 3f00 ff00 0008 0000  ........?.......
#timeline generation with fls:
	fls -f ntfs -m / -r  /dev/nbd0 | less
#mount it if needed
    mount -t ntfs -o ro /dev/nbd1 /mnt/windows
#unmount it
    umount /mnt/windows            
	nbd-client -d /dev/nbd0

#for Memory example see MEMReadme.txt
You can’t perform that action at this time.