Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: Using dd.exe to make forensic images of NTFS drives
.

  • To: "Sakaba" <[EMAIL PROTECTED]>
  • Subject: Re: Using dd.exe to make forensic images of NTFS drives
  • From: "Volker Tanger" <[EMAIL PROTECTED]>
  • Date: Mon, 11 Aug 2003 10:29:18 +0200
  • Cc: [EMAIL PROTECTED]
  • In-reply-to: <[EMAIL PROTECTED]>
  • Organization: discon GmbH (DeTeWe AG)
  • References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
.
 
Greetings!

On Sun, 10 Aug 2003 02:04:34 +0900 "Sakaba" <[EMAIL PROTECTED]>
wrote:

> dd.exe if=\\.\f: |nc.exe <forensic machine IP> <port>


I am not sure, but I don't think that the IF= parameter does give a
proper representation of the binary partition. I'd suggest booting from
a linux CD or disk like Knoppix or TRBT  and start from there. Solves
the problem of locked files/parts when booting Windows, too.


>  I have no probs using dd with linux partitions at all.  

Windows partitions or complete multiboot disks work like a charm for me
(e.g. as documented in http://wyae.de/docs/img_dd.php) - as long as
there are no defective blocks on neither source nor destination media.

So I guess the IF=<DosDriveLetter> parameter is the guilty one here.

Bye

Volker Tanger


     


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.