Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: Using dd.exe to make forensic images of NTFS drives
.

  • To: [EMAIL PROTECTED]
  • Subject: Re: Using dd.exe to make forensic images of NTFS drives
  • From: crazytrain <[EMAIL PROTECTED]>
  • Date: 10 Aug 2003 15:37:55 -0400
  • In-reply-to: <[EMAIL PROTECTED]>
  • Organization:
  • References: <[EMAIL PROTECTED]>
  • Reply-to: [EMAIL PROTECTED]
.
 
Sakaba

which version of Autopsy are you using?  Older versions had limited/no
support for NTFS, so that *may* be the problem.

Quick question, isn't FIRE a Linux based bootable cd?  Therefore the
syntax would be;

dd if=/dev/target_partition | nc XXX.XXX.XXX.XXX port_number


Of course if it is a Win32 Bootable cd then strike my thought above!


When you run 'file ntfs.dd' in Linux on that created image file, what do
you see/get returned?  

If you're using a later version of Sleuthkit it supports NTFS, so there
is something else wrong.  I'd try again with the Linux nc syntax on a
tried and tested NTFS partition and try again.  Let us know which
version of Autopsy you're using.

farmerdude



On Sat, 2003-08-09 at 13:04, Sakaba wrote:
> Hi everyone,
> 
> I have tried time and time again to make images of my NTFS drives via the
> dd command in windows.
> I use the FIRE cd forensic shell on the windows box and:
> 
> dd.exe if=\\.\f: |nc.exe <forensic machine IP> <port>
> 
> On my linux box I run:
> 
> nc -l -p <port> |dd of=/home/user/ntfs.dd
> 
> That all works fine and it makes and transfers the file but then I try to
> add the file in autopsy and it tells me its not an NTFS image and
> consequently doesn't add it.
> 
> I tried conv=noerrors and I tried just dumping the file on the linux box
> without dd on the of= side.  I tried different NTFS partitions of different
> sizes as well.  My linux box has the NTFS support kernel mod and everything
> else about autopsy works fine.  Just these NTFS images.  I have no probs
> using dd with linux partitions at all.  I'd like to find a solution to this
> because commerical ware like Encase is outrageously expensive and dd is
> free making it perfect for my situation.
> 
> Thanks,
> Sakaba
> 
> 
> 
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.