Re: Re-constructing disks

From: James.Holleyat_private
Date: Tue Oct 16 2001 - 16:58:17 PDT

  • Next message: adam: "Re: Re-constructing disks"

    >> Is there any easy way to append from individual CDs to a device file?
    Have you tried the skip and count options of dd?
    For simplicity, lets assume you have a 6GB IDE hard drive to image
    attached as /dev/hdd (slave drive on secondary IDE controller) and a 10GB
    drive to write the image to (mounted at /mnt/evidence1). And lets assume
    the 6GB "evidence" has exactly 12,582,912 sectors (makes the math easier).
            512 bytes per sector x 2048 sectors = 1,048,576 bytes = 1MB
            512 bytes per sector x 2097152 sectors = 1,073,741,824 bytes = 1GB
                    (I know some drive manufacturers advertise that 1GB =
    1,000,000,000 bytes, so
                    use that math if you like it better.  1,000,000,000 bytes
    = 1,953,125 sectors)
            (2097152 sectors / GB) x 6GB = 12,582,912 sectors
    # Imaging the 1st 600MB of the device into img.1
    # bs=1048576 = 1MB
    # count=600 counts 600MB into the image
    # create a 600MB file called img.1
    dd if=/dev/hdd of=/mnt/evidence1/img.1 bs=1048576 count=600
    # skip the 1st 600MB  and then count the next 600MB into img.2
    dd if=/dev/hdd bs=1048576 skip=600 count=600 of=/mnt/evidence1/img.2
    # skip the first 2 600MB blocks and count the next 600MB into img.3
    dd if=/dev/hdd bs=1048576 skip=1200 count=600 of=/mnt/evidence1/img.3
    # continue to use skip and count to break evidence into 600MB chunks
    dd if=/dev/hdd bs=1048576 skip=1800 count=600 of=/mnt/evidence1/img.4
    dd if=/dev/hdd bs=1048576 skip=2400 count=600 of=/mnt/evidence1/img.5
    dd if=/dev/hdd bs=1048576 skip=3000 count=600 of=/mnt/evidence1/img.6
    dd if=/dev/hdd bs=1048576 skip=3600 count=600 of=/mnt/evidence1/img.7
    dd if=/dev/hdd bs=1048576 skip=4200 count=600 of=/mnt/evidence1/img.8
    dd if=/dev/hdd bs=1048576 skip=4800 count=600 of=/mnt/evidence1/img.9
    dd if=/dev/hdd bs=1048576 skip=5400 count=600 of=/mnt/evidence1/img.10
    # you have now imaged 6000 of the 1MB chunks
    # end script for 10GB drive
    You can take this idea out to 60GB if you want. Its just math using skip
    and count options.
    Then burn each .img file to a CD-ROM
    Then to restore the image to a suitable hard drive at /dev/hdc, use the
    following command lines (can't use a script since you are mounting and
    umounting a CD each time), assuming you mount the CD containing the .img
    file to /mnt/cdrom. (You can use a script if you restore directly from the
    /mnt/evidence1 drive
    # use dd to restore the first 600MB from img.1 to /dev/hdc
    dd if=/mnt/cdrom/img.1 of=/dev/hdc
    # umount cdrom with img.1 and mount cdrom with img.2
    # use seek=600 on /dev/hdc to skip over 1st restored 600MB and lay down
    next 600MB
    dd if=/mnt/cdrom/img.2 of=/dev/hdc bs=1048576 seek=600
    # use seek=1200 to skip over first 1.2G of restored image and lay down
    next 600MB
    dd if=/mnt/cdrom/img.3 of=/dev/hdc bs=1048576 seek=1200
    # ect etc with seek to skip over restored data on /dev/hdc and lay down
    next 600MB chunk of image
    dd if=/mnt/cdrom/img.4 of=/dev/hdc bs=1048576 seek=1800
    dd if=/mnt/cdrom/img.5 of=/dev/hdc bs=1048576 seek=2400
    dd if=/mnt/cdrom/img.6 of=/dev/hdc bs=1048576 seek=3000
    dd if=/mnt/cdrom/img.7 of=/dev/hdc bs=1048576 seek=3600
    dd if=/mnt/cdrom/img.8 of=/dev/hdc bs=1048576 seek=4200
    dd if=/mnt/cdrom/img.9 of=/dev/hdc bs=1048576 seek=4800
    # and finally, use seek=5400 to skip over the first 5.4GB of restored data
    on /dev/hdc and lay down last 600MB of image
    dd if=/mnt/cdrom/img.10 of=/dev/hdc bs=1048576 seek=5400
    # now the entire 6GB is restored
    Very simplistic, I know. There are a few more command line options you
    should probably use as well, but you get the basic idea of using skip,
    count and seek with dd.
    James O. Holley
    Ernst & Young
    Litigation Advisory Services &
    Computer Forensic Services
    Office:   703.747.1059
    Fax:       703.747.0104
    Pager:   888.620.5275
    Pager email: 6205275at_private
    The information contained in this message may be privileged and
    confidential and protected from disclosure.  If the reader of this message
    is not the intended recipient, or an employee or agent responsible for
    delivering this message to the intended recipient, you are hereby notified
    that any dissemination, distribution or copying of this communication is
    strictly prohibited. If you have received this communication in error,
    please notify us immediately by replying to the message and deleting it
    from your computer.  Thank you.  Ernst & Young LLP
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Wed Oct 17 2001 - 04:23:37 PDT