Using dd.exe to make forensic images of NTFS drives

From: Sakaba <Sakaba(at)alexandria.cc>
Date: Sat Aug 09 2003 - 13:04:34 EDT

Hi everyone,

I have tried time and time again to make images of my NTFS drives via the dd command in windows.
I use the FIRE cd forensic shell on the windows box and:

dd.exe if=\\.\f: |nc.exe <forensic machine IP> <port>

On my linux box I run:

nc -l -p <port> |dd of=/home/user/ntfs.dd

That all works fine and it makes and transfers the file but then I try to add the file in autopsy and it tells me its not an NTFS image and consequently doesn't add it.

I tried conv=noerrors and I tried just dumping the file on the linux box without dd on the of= side. I tried different NTFS partitions of different sizes as well. My linux box has the NTFS support kernel mod and everything else about autopsy works fine. Just these NTFS images. I have no probs using dd with linux partitions at all. I'd like to find a solution to this because commerical ware like Encase is outrageously expensive and dd is free making it perfect for my situation.

Thanks,
Sakaba

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Sun Aug 10 09:44:10 2003