Hosting Provided By

Re: Using dd.exe to make forensic images of NTFS drives

From: Volker Tanger <volker.tanger(at)discon.de>
Date: Mon Aug 11 2003 - 04:29:18 EDT

Greetings!

On Sun, 10 Aug 2003 02:04:34 +0900 "Sakaba" <Sakaba@alexandria.cc> wrote:

> dd.exe if=\\.\f: |nc.exe <forensic machine IP> <port>

I am not sure, but I don't think that the IF= parameter does give a proper representation of the binary partition. I'd suggest booting from a linux CD or disk like Knoppix or TRBT and start from there. Solves the problem of locked files/parts when booting Windows, too.

> I have no probs using dd with linux partitions at all.

Windows partitions or complete multiboot disks work like a charm for me (e.g. as documented in http://wyae.de/docs/img_dd.php) - as long as there are no defective blocks on neither source nor destination media.

So I guess the IF=<DosDriveLetter> parameter is the guilty one here.

Do you need help?

Bye

Volker Tanger

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Mon Aug 11 15:29:58 2003

This message: [ Message body ]
Next message: crazytrain: "Re: drive integrity check problems"
Previous message: Jim Zajkowski: "Re: Using dd.exe to make forensic images of NTFS drives"
In reply to: Sakaba: "Using dd.exe to make forensic images of NTFS drives"
In reply to Reava, Jeffrey [IT/0200]: "RE: Using dd.exe to make forensic images of NTFS drives"
Next in thread: Sakaba: "Re: Using dd.exe to make forensic images of NTFS drives"
Reply: Sakaba: "Re: Using dd.exe to make forensic images of NTFS drives"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:44 EDT