Hosting Provided By

RE: Using dd.exe to make forensic images of NTFS drives

From: Reava, Jeffrey [IT/0200] <jeffrey.reava(at)pharmacia.com>
Date: Sun Aug 10 2003 - 23:11:04 EDT

The problem may be due to windows locking certain files (Master File Table, etc.) and dd isn't able to copy them.

At startup MS writes a signature to the subject drive, so you won't have the proof the original drive hasn't changed since you first received it. Why not use the linux side of F.I.R.E. for imaging, or pull the drive from the subject machine and plug it into your forensic box -- the difference in speed can be worth the hassle. A 20 gig drive that took about 6 hrs via "nc | .. " took just over 90 minutes using IDE. Better yet, the subject drive is never mounted by the OS so an md5sum of the original disk will match an md5sum of the image.

Jeff

-----Original Message-----
From: Sakaba [mailto:Sakaba@alexandria.cc] Sent: Saturday, August 09, 2003 1:05 PM
To: forensics@securityfocus.com
Subject: Using dd.exe to make forensic images of NTFS drives

Hi everyone,

I have tried time and time again to make images of my NTFS drives via the dd command in windows.
I use the FIRE cd forensic shell on the windows box and:

dd.exe if=\\.\f: |nc.exe <forensic machine IP> <port>

Do you need help?

On my linux box I run:

nc -l -p <port> |dd of=/home/user/ntfs.dd

That all works fine and it makes and transfers the file but then I try to add the file in autopsy and it tells me its not an NTFS image and consequently doesn't add it.

I tried conv=noerrors and I tried just dumping the file on the linux box without dd on the of= side. I tried different NTFS partitions of different sizes as well. My linux box has the NTFS support kernel mod and everything else about autopsy works fine. Just these NTFS images. I have no probs using dd with linux partitions at all. I'd like to find a solution to this because commerical ware like Encase is outrageously expensive and dd is free making it perfect for my situation.

Thanks,
Sakaba

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

This communication is intended solely for the use of the addressee and may contain information that is legally privileged, confidential or exempt from disclosure. If you are not the intended recipient, please note that any dissemination, distribution, or copying of this communication is strictly prohibited. Anyone who receives this message in error should notify the sender immediately and delete it from his or her computer.

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Mon Aug 11 15:24:11 2003

This message: [ Message body ]
Next message: Rainer Gerhards: "RE: Program to wipe data from disk free space"
Previous message: Sebastian Schneider: "Re: Program to wipe data from disk free space"
Maybe in reply to: Sakaba: "Using dd.exe to make forensic images of NTFS drives"
Reply: Jim Zajkowski: "Re: Using dd.exe to make forensic images of NTFS drives"
Reply: Volker Tanger: "Re: Using dd.exe to make forensic images of NTFS drives"
Reply: crazytrain: "Re: Using dd.exe to make forensic images of NTFS drives"
Reply: Christopher Brown: "RE: Using dd.exe to make forensic images of NTFS drives"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:44 EDT