Focus on Linux
Re: root shell auditing Aug 06 2008 06:16PM
Hari Sekhon (hpsekhon googlemail com) (1 replies)
RE: root shell auditing Aug 06 2008 07:17PM
Christian Lete (clete shellcode com ar) (2 replies)
Re: root shell auditing Aug 06 2008 08:30PM
Gautam R. Singh (gautam singh gmail com)
problems cloning a hard drive with dcfldd Aug 06 2008 08:14PM
DON RAIKES oracle com (3 replies)
Re: problems cloning a hard drive with dcfldd Aug 13 2008 08:25AM
Kosala Atapattu (kosala atapattu gmail com)
Re: problems cloning a hard drive with dcfldd Aug 09 2008 01:40AM
farmerdude (subscribe crazytrain com) (1 replies)
RE: problems cloning a hard drive with dcfldd Aug 11 2008 07:11PM
DON RAIKES ORACLE COM (1 replies)
RE: problems cloning a hard drive with dcfldd Aug 11 2008 09:47PM
farmerdude (subscribe crazytrain com)
Re: problems cloning a hard drive with dcfldd Aug 07 2008 05:38PM
Dave Hull (dphull trustedsignal com) (2 replies)
On Wed, Aug 6, 2008 at 3:14 PM, <DON.RAIKES (at) oracle (dot) com [email concealed]> wrote:
> I am a newbie to this whole digital forensics world, and am having a problem cloning a hard drive.
>
> Setup:
> laptop with 40gb harddrive with 2 partitions. The laptop had/has windows xp on it, but it won't boot any longer.
> desktop system running fedora 9 as my forensics lab machine.
> fedora livecd containing dcfldd and some other tools.
>
> Situation:
> I boot the laptop using the livecd and login no problem.
> I can see the hard drive as /dev/sda.

You might try pulling the drive out of the laptop and connecting it to
your PC directly using a USB external drive adapter. Mount the drive
on your forensics lab machine read-only and try acquiring the image
with dcfldd. You could also acquire the entire drive, rather than
individual partitions and then carve out the partitions from that
image, again using dcfldd. The Sleuthkit command mmls will display the
partition table information it finds in the image and you can feed
that information into dcfldd to carve out the partitions.

> dcfldd if=/dev/sda1 conv=noerror,sync hash=md5 hashlog=md5.log | nc desktopsystem 1234 -w 3

Looks good to me. Have you tried specifying a blocksize via bs=?

> All seems to be going just fine the netcat connection is made and dcfldd is displaying its progress.
> However, at block 98513, I get an error from dcfldd saying:
>
> error:/dev/sda1 input output error
>
> and the whole process stops.

I have seen similar problems when trying to acquire using Helix and
USB mounted drives on laptops. I generally have better luck attaching
and mounting the drives in my forensic workstation.

Good luck.

--
Dave Hull

[ reply ]
Re: problems cloning a hard drive with dcfldd Aug 08 2008 06:21AM
Andreas Ferrari (aferrari stasoft ch)
RE: problems cloning a hard drive with dcfldd Aug 07 2008 06:48PM
DON RAIKES oracle com


 

Privacy Statement
Copyright 2010, SecurityFocus