another way to do this is to image to a filesystem that supports large files (BFS or Reiser3.6 come to mind) with a 64bit clean dd and create one file... the complete image (up to 18 Petabytes) then simply use split. Quick, easy and less math. Regards - Andrew Rosen ASR Data Acquisition & Analysis, LLC - Austin, Texas ==================================================== Voice: 512-918-9227 (GMT -6 hrs) Fax : 512-918-9393 EMail: andrewat_private WWW : http://www.asrdata.com ==================================================== The difficulty lies, not in the new ideas, but in escaping the old ones. John Maynard Keynes ==================================================== -----Original Message----- From: James.Holleyat_private [mailto:James.Holleyat_private] Sent: Tuesday, October 16, 2001 6:58 PM To: Neil Long Cc: forensicsat_private Subject: Re: Re-constructing disks Neil, >> Is there any easy way to append from individual CDs to a device file? Have you tried the skip and count options of dd? For simplicity, lets assume you have a 6GB IDE hard drive to image attached as /dev/hdd (slave drive on secondary IDE controller) and a 10GB drive to write the image to (mounted at /mnt/evidence1). And lets assume the 6GB "evidence" has exactly 12,582,912 sectors (makes the math easier). 512 bytes per sector x 2048 sectors = 1,048,576 bytes = 1MB 512 bytes per sector x 2097152 sectors = 1,073,741,824 bytes = 1GB (I know some drive manufacturers advertise that 1GB = 1,000,000,000 bytes, so use that math if you like it better. 1,000,000,000 bytes = 1,953,125 sectors) (2097152 sectors / GB) x 6GB = 12,582,912 sectors # Imaging the 1st 600MB of the device into img.1 # bs=1048576 = 1MB # count=600 counts 600MB into the image # create a 600MB file called img.1 dd if=/dev/hdd of=/mnt/evidence1/img.1 bs=1048576 count=600 # # skip the 1st 600MB and then count the next 600MB into img.2 dd if=/dev/hdd bs=1048576 skip=600 count=600 of=/mnt/evidence1/img.2 # # skip the first 2 600MB blocks and count the next 600MB into img.3 dd if=/dev/hdd bs=1048576 skip=1200 count=600 of=/mnt/evidence1/img.3 # # continue to use skip and count to break evidence into 600MB chunks dd if=/dev/hdd bs=1048576 skip=1800 count=600 of=/mnt/evidence1/img.4 dd if=/dev/hdd bs=1048576 skip=2400 count=600 of=/mnt/evidence1/img.5 dd if=/dev/hdd bs=1048576 skip=3000 count=600 of=/mnt/evidence1/img.6 dd if=/dev/hdd bs=1048576 skip=3600 count=600 of=/mnt/evidence1/img.7 dd if=/dev/hdd bs=1048576 skip=4200 count=600 of=/mnt/evidence1/img.8 dd if=/dev/hdd bs=1048576 skip=4800 count=600 of=/mnt/evidence1/img.9 dd if=/dev/hdd bs=1048576 skip=5400 count=600 of=/mnt/evidence1/img.10 # # you have now imaged 6000 of the 1MB chunks # end script for 10GB drive You can take this idea out to 60GB if you want. Its just math using skip and count options. Then burn each .img file to a CD-ROM Then to restore the image to a suitable hard drive at /dev/hdc, use the following command lines (can't use a script since you are mounting and umounting a CD each time), assuming you mount the CD containing the .img file to /mnt/cdrom. (You can use a script if you restore directly from the /mnt/evidence1 drive # use dd to restore the first 600MB from img.1 to /dev/hdc dd if=/mnt/cdrom/img.1 of=/dev/hdc # # umount cdrom with img.1 and mount cdrom with img.2 # use seek=600 on /dev/hdc to skip over 1st restored 600MB and lay down next 600MB dd if=/mnt/cdrom/img.2 of=/dev/hdc bs=1048576 seek=600 # # use seek=1200 to skip over first 1.2G of restored image and lay down next 600MB dd if=/mnt/cdrom/img.3 of=/dev/hdc bs=1048576 seek=1200 # # ect etc with seek to skip over restored data on /dev/hdc and lay down next 600MB chunk of image dd if=/mnt/cdrom/img.4 of=/dev/hdc bs=1048576 seek=1800 dd if=/mnt/cdrom/img.5 of=/dev/hdc bs=1048576 seek=2400 dd if=/mnt/cdrom/img.6 of=/dev/hdc bs=1048576 seek=3000 dd if=/mnt/cdrom/img.7 of=/dev/hdc bs=1048576 seek=3600 dd if=/mnt/cdrom/img.8 of=/dev/hdc bs=1048576 seek=4200 dd if=/mnt/cdrom/img.9 of=/dev/hdc bs=1048576 seek=4800 # # and finally, use seek=5400 to skip over the first 5.4GB of restored data on /dev/hdc and lay down last 600MB of image dd if=/mnt/cdrom/img.10 of=/dev/hdc bs=1048576 seek=5400 # now the entire 6GB is restored Very simplistic, I know. There are a few more command line options you should probably use as well, but you get the basic idea of using skip, count and seek with dd. James ============================== James O. Holley Ernst & Young Litigation Advisory Services & Computer Forensic Services http://litigation.ey.com Office: 703.747.1059 Fax: 703.747.0104 Pager: 888.620.5275 Pager email: 6205275at_private ============================== ______________________________________________________________________ The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. Ernst & Young LLP ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Oct 18 2001 - 04:11:21 PDT