Hosting Provided By

Re: Using dd.exe to make forensic images of NTFS drives

From: crazytrain <subscribe(at)crazytrain.com>
Date: Sun Aug 10 2003 - 15:37:55 EDT

Sakaba

which version of Autopsy are you using? Older versions had limited/no support for NTFS, so that *may* be the problem.

Quick question, isn't FIRE a Linux based bootable cd? Therefore the syntax would be;

dd if=/dev/target_partition | nc XXX.XXX.XXX.XXX port_number

Of course if it is a Win32 Bootable cd then strike my thought above!

When you run 'file ntfs.dd' in Linux on that created image file, what do you see/get returned?

If you're using a later version of Sleuthkit it supports NTFS, so there is something else wrong. I'd try again with the Linux nc syntax on a tried and tested NTFS partition and try again. Let us know which version of Autopsy you're using.

Do you need help?

farmerdude

On Sat, 2003-08-09 at 13:04, Sakaba wrote:
> Hi everyone,

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Mon Aug 11 15:37:54 2003

This message: [ Message body ]
Next message: Svein Yngvar Willassen: "file fragment analysis"
Previous message: Sakaba: "Re: Using dd.exe to make forensic images of NTFS drives"
In reply to: Sakaba: "Using dd.exe to make forensic images of NTFS drives"
In reply to Reava, Jeffrey [IT/0200]: "RE: Using dd.exe to make forensic images of NTFS drives"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:44 EDT