Focus on Linux
Re: root shell auditing Aug 06 2008 06:16PM
Hari Sekhon (hpsekhon googlemail com) (1 replies)
RE: root shell auditing Aug 06 2008 07:17PM
Christian Lete (clete shellcode com ar) (2 replies)
Re: root shell auditing Aug 06 2008 08:30PM
Gautam R. Singh (gautam singh gmail com)
problems cloning a hard drive with dcfldd Aug 06 2008 08:14PM
DON RAIKES oracle com (3 replies)
Re: problems cloning a hard drive with dcfldd Aug 13 2008 08:25AM
Kosala Atapattu (kosala atapattu gmail com)
Re: problems cloning a hard drive with dcfldd Aug 09 2008 01:40AM
farmerdude (subscribe crazytrain com) (1 replies)
RE: problems cloning a hard drive with dcfldd Aug 11 2008 07:11PM
DON RAIKES ORACLE COM (1 replies)
RE: problems cloning a hard drive with dcfldd Aug 11 2008 09:47PM
farmerdude (subscribe crazytrain com)
Re: problems cloning a hard drive with dcfldd Aug 07 2008 05:38PM
Dave Hull (dphull trustedsignal com) (2 replies)
Re: problems cloning a hard drive with dcfldd Aug 08 2008 06:21AM
Andreas Ferrari (aferrari stasoft ch)
Dave Hull schrieb:
> On Wed, Aug 6, 2008 at 3:14 PM, <DON.RAIKES (at) oracle (dot) com [email concealed]> wrote:
>
>> I am a newbie to this whole digital forensics world, and am having a problem cloning a hard drive.
>>
>> Setup:
>> laptop with 40gb harddrive with 2 partitions. The laptop had/has windows xp on it, but it won't boot any longer.
>> desktop system running fedora 9 as my forensics lab machine.
>> fedora livecd containing dcfldd and some other tools.
>>
>> Situation:
>> I boot the laptop using the livecd and login no problem.
>> I can see the hard drive as /dev/sda.
>>
>
> You might try pulling the drive out of the laptop and connecting it to
> your PC directly using a USB external drive adapter. Mount the drive
> on your forensics lab machine read-only and try acquiring the image
> with dcfldd. You could also acquire the entire drive, rather than
> individual partitions and then carve out the partitions from that
> image, again using dcfldd. The Sleuthkit command mmls will display the
> partition table information it finds in the image and you can feed
> that information into dcfldd to carve out the partitions.
>
>
>> dcfldd if=/dev/sda1 conv=noerror,sync hash=md5 hashlog=md5.log | nc desktopsystem 1234 -w 3
>>
>
> Looks good to me. Have you tried specifying a blocksize via bs=?
>
>
>> All seems to be going just fine the netcat connection is made and dcfldd is displaying its progress.
>> However, at block 98513, I get an error from dcfldd saying:
>>
>> error:/dev/sda1 input output error
>>
>> and the whole process stops.
>>
If there is an error an the disk dd will fail, if you really dont need
the forensic features
of dcfldd you can also use ddrescue.
ddrescue is different than dd, a dd fails when there is a read error on
the disk, ddrescue will
continue (have a look at the man).
God luck
> I have seen similar problems when trying to acquire using Helix and
> USB mounted drives on laptops. I generally have better luck attaching
> and mounting the drives in my forensic workstation.
>
> Good luck.
>
>

[ reply ]
RE: problems cloning a hard drive with dcfldd Aug 07 2008 06:48PM
DON RAIKES oracle com


 

Privacy Statement
Copyright 2010, SecurityFocus