Guys.. uhmm.. the point of taking a forensic image is to preserve the integrity of the original evidence while being able to muck about and analyze the data on an image. Why double your work? Ultimately the images should be written to CD and stored for the duration of the trial in the least.. write it to a file on your secondary drive, use the split utility to make seperate CD size images, burn them, reimage unto your analysis drive and bang away. And for god sake, do sanitize your drives before reimaging and analyzing the data, especially if they are of a larger capacity than the original.. On Wed, 27 Jun 2001 09:08:21 -0400, "Michael H. Warfield" <mhwat_private> wrote : > On Wed, Jun 27, 2001 at 10:17:27AM +0100, David Pick wrote: > > > > If I wanted, for some reason, to dd to another raw disk, I > > > would have to make sure the geometry was the same (or the partition tables > > > would not work) and that the drive was as large or larger than the source > > > drive. To match the md5 sums with a large target drive, you would then > > > have to use dd to extract the correct number of blocks (determined by > > > the block count when the original dd was finished) and pipe it to stdout > > > and from there to stdin on md5sum. > > > LBA mode (if in use!) helps here because with LBA mode the physical drive > > geometry is not used and a simulated geometry with the number of heads and > > number of sectors/track set to the maximum allowed by the EIDE interface > > specifications. This means the only variable item is the number of > > cylinders. > > Which is exactly what I was saying. The geometry must match, and > LBA is a geometry (even if it happens to be an artificial geometry). > > > Of course, for forensic examinations you have to be able to cope with > > any old drive... > > And any idiot who sets up his drive in something other than LBA > mode. We don't always get to chose how these things are installed. Which, > BTW, is also why I prefer to go to an image file. From an image file of > the entire disk, you can also use dd to select out the partitions to other > files and even mount them in Linux through the loopback device. > > > -- > > David Pick > > Mike > -- > Michael H. Warfield | (770) 985-6132 | mhwat_private > (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ > NIC whois: MHW9 | An optimist believes we live in the best of all > PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it! > > > ----------------------------------------------------------------- > > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: > > http://aris.securityfocus.com > > > > > -- Sent with Antiplur webmail: http://www.antiplur.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jun 29 2001 - 07:41:57 PDT