On Wed, Jun 27, 2001 at 10:17:27AM +0100, David Pick wrote: > > If I wanted, for some reason, to dd to another raw disk, I > > would have to make sure the geometry was the same (or the partition tables > > would not work) and that the drive was as large or larger than the source > > drive. To match the md5 sums with a large target drive, you would then > > have to use dd to extract the correct number of blocks (determined by > > the block count when the original dd was finished) and pipe it to stdout > > and from there to stdin on md5sum. > LBA mode (if in use!) helps here because with LBA mode the physical drive > geometry is not used and a simulated geometry with the number of heads and > number of sectors/track set to the maximum allowed by the EIDE interface > specifications. This means the only variable item is the number of > cylinders. Which is exactly what I was saying. The geometry must match, and LBA is a geometry (even if it happens to be an artificial geometry). > Of course, for forensic examinations you have to be able to cope with > any old drive... And any idiot who sets up his drive in something other than LBA mode. We don't always get to chose how these things are installed. Which, BTW, is also why I prefer to go to an image file. From an image file of the entire disk, you can also use dd to select out the partitions to other files and even mount them in Linux through the loopback device. > -- > David Pick Mike -- Michael H. Warfield | (770) 985-6132 | mhwat_private (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 27 2001 - 21:51:03 PDT