Using dd.exe to make forensic images of NTFS drives

["Sakaba" <[EMAIL PROTECTED]>]

Hi everyone,

I have tried time and time again to make images of my NTFS drives via the
dd command in windows.
I use the FIRE cd forensic shell on the windows box and:

dd.exe if=\\.\f: |nc.exe <forensic machine IP> <port>

On my linux box I run:

nc -l -p <port> |dd of=/home/user/ntfs.dd

That all works fine and it makes and transfers the file but then I try to
add the file in autopsy and it tells me its not an NTFS image and
consequently doesn't add it.

I tried conv=noerrors and I tried just dumping the file on the linux box
without dd on the of= side.  I tried different NTFS partitions of different
sizes as well.  My linux box has the NTFS support kernel mod and everything
else about autopsy works fine.  Just these NTFS images.  I have no probs
using dd with linux partitions at all.  I'd like to find a solution to this
because commerical ware like Encase is outrageously expensive and dd is
free making it perfect for my situation.

Thanks,
Sakaba



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com