Focus on Linux
Re: root shell auditing Aug 06 2008 06:16PM
Hari Sekhon (hpsekhon googlemail com) (1 replies)
RE: root shell auditing Aug 06 2008 07:17PM
Christian Lete (clete shellcode com ar) (2 replies)
Re: root shell auditing Aug 06 2008 08:30PM
Gautam R. Singh (gautam singh gmail com)
problems cloning a hard drive with dcfldd Aug 06 2008 08:14PM
DON RAIKES oracle com (3 replies)
Re: problems cloning a hard drive with dcfldd Aug 13 2008 08:25AM
Kosala Atapattu (kosala atapattu gmail com)
Re: problems cloning a hard drive with dcfldd Aug 09 2008 01:40AM
farmerdude (subscribe crazytrain com) (1 replies)
RE: problems cloning a hard drive with dcfldd Aug 11 2008 07:11PM
DON RAIKES ORACLE COM (1 replies)
RE: problems cloning a hard drive with dcfldd Aug 11 2008 09:47PM
farmerdude (subscribe crazytrain com)
Don,

I think you've found the issue - you were acquiring the first partition,
and _not_ the physical device. Remove the partition from your command
and you should be golden, no need to pull the drive.

Cheers!

farmerdude

http://www.forensicbootcd.com

http://www.onlineforensictraining.com

On Mon, 2008-08-11 at 12:11 -0700, DON.RAIKES (at) ORACLE (dot) COM [email concealed] wrote:
> Farmerdude,
>
> Here are the results of the commands you suggested:
>
> blkid:
> /dev/sda1: UUID="D08405CF8405B94C" TYPE="ntfs"
> /dev/sda2: UUID="423B-2BDF" TYPE="vfat"
>
> fdisk:
>
>
> Disk /dev/sda: 40.0 GB, 40007761920 bytes
> 255 heads, 63 sectors/track, 4864 cylinders
> Units = cylinders of 16065 * 512 = 8225280 bytes
> Disk identifier: 0x4b36bdea
>
> Device Boot Start End Blocks Id System
> /dev/sda1 * 463 4863 35351032+ 7 HPFS/NTFS
> /dev/sda2 1 462 3710983+ b W95 FAT32
>
> Partition table entries are not in disk order
>
> While I don't have a usb or firewire drive I can use to clone to directly, I do have an external harddrive enclosure for a laptop drive, so I will be pulling the drive from the laptop and connecting it to my forensics workstation using the enclosure.
>
> I will try cloning the entire drive instead of just the ntfs partition also.
>
> Thanks for the tips.
>
> -----Original Message-----
> From: farmerdude [mailto:subscribe (at) crazytrain (dot) com [email concealed]]
> Sent: Friday, August 08, 2008 6:40 PM
> To: DON.RAIKES (at) ORACLE (dot) COM [email concealed]
> Cc: focus-linux
> Subject: Re: problems cloning a hard drive with dcfldd
>
>
> Don,
>
> Can you provide the output of these commands issued from the laptop
> system;
>
> fdisk -l
>
>
> blkid /dev/sda*
>
>
>
> Instead of blowing across the network, are you able to attach a firewire
> or USB hard drive to the laptop and blow your acquisition file via one
> of those ports locally?
>
>
> Also, based on your dcfldd command, you know that you are acquiring only
> the first partition on the physical device, /dev/sda, yes?
>
> If you want the physical device, remove the number from your command.
> If you want only the partition continue on with your command then!
>
> Cheers!
>
> farmerdude
>
> http://www.forensicbootcd.com
>
> http://www.onlineforensictraining.com
>
>
>

[ reply ]
Re: problems cloning a hard drive with dcfldd Aug 07 2008 05:38PM
Dave Hull (dphull trustedsignal com) (2 replies)
Re: problems cloning a hard drive with dcfldd Aug 08 2008 06:21AM
Andreas Ferrari (aferrari stasoft ch)
RE: problems cloning a hard drive with dcfldd Aug 07 2008 06:48PM
DON RAIKES oracle com


 

Privacy Statement
Copyright 2010, SecurityFocus