Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


RE: Using dd.exe to make forensic images of NTFS drives
.

  • To: Sakaba <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
  • Subject: RE: Using dd.exe to make forensic images of NTFS drives
  • From: "Reava, Jeffrey [IT/0200]" <[EMAIL PROTECTED]>
  • Date: Sun, 10 Aug 2003 23:11:04 -0400
.
 
The problem may be due to windows locking certain files (Master File Table,
etc.) and dd isn't able to copy them.

At startup MS writes a signature to the subject drive, so you won't have the
proof the original drive hasn't changed since you first received it. Why not
use the linux side of F.I.R.E. for imaging, or pull the drive from the
subject machine and plug it into your forensic box -- the difference in
speed can be worth the hassle. A 20 gig drive that took about 6 hrs via "nc
| .. " took just over 90 minutes using IDE. Better yet, the subject drive is
never mounted by the OS so an md5sum of the original disk will match an
md5sum of the image.

Jeff


-----Original Message-----
From: Sakaba [mailto:[EMAIL PROTECTED]
Sent: Saturday, August 09, 2003 1:05 PM
To: [EMAIL PROTECTED]
Subject: Using dd.exe to make forensic images of NTFS drives


Hi everyone,

I have tried time and time again to make images of my NTFS drives via the
dd command in windows.
I use the FIRE cd forensic shell on the windows box and:

dd.exe if=\\.\f: |nc.exe <forensic machine IP> <port>

On my linux box I run:

nc -l -p <port> |dd of=/home/user/ntfs.dd

That all works fine and it makes and transfers the file but then I try to
add the file in autopsy and it tells me its not an NTFS image and
consequently doesn't add it.

I tried conv=noerrors and I tried just dumping the file on the linux box
without dd on the of= side.  I tried different NTFS partitions of different
sizes as well.  My linux box has the NTFS support kernel mod and everything
else about autopsy works fine.  Just these NTFS images.  I have no probs
using dd with linux partitions at all.  I'd like to find a solution to this
because commerical ware like Encase is outrageously expensive and dd is
free making it perfect for my situation.

Thanks,
Sakaba



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

This communication is intended solely for the use of the addressee and may
contain information that is legally privileged, confidential or exempt from
disclosure.  If you are not the intended recipient, please note that any 
dissemination, distribution, or copying of this communication is strictly 
prohibited.  Anyone who receives this message in error should notify the 
sender immediately and delete it from his or her computer.


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.