Re: DD -> Netcat NT Imaging

From: Ian Macdonald (secforensicsat_private)
Date: Thu Sep 12 2002 - 13:05:51 PDT

Next message: Volker Tanger: "Re: DD -> Netcat NT Imaging"

Previous message: Seth Arnold: "Re: DD -> Netcat NT Imaging"
In reply to: Brian Carrier: "Re: DD -> Netcat NT Imaging"
Next in thread: Seth Arnold: "Re: DD -> Netcat NT Imaging"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This also happened on a file about 1 GB. I am using a linux 2.4.18 box as
the file server. I wonder if it might have something to do with bs=512?

I am running a test at the moment from another linux box to see if I get the
same kind of error

Ian
----- Original Message -----
From: "Brian Carrier" <bcarrierat_private>
To: "Ian Macdonald" <secforensicsat_private>
Cc: "Estes, Matt CPR / FCBS" <Matt.Estesat_private>;
<forensicsat_private>
Sent: Thursday, September 12, 2002 12:52 PM
Subject: Re: DD -> Netcat NT Imaging


> Ian Macdonald (Thu, Sep 12, 2002 at 12:11:06PM -0400):
>
> > One problem I issue I have is I get this error /usr/local/task/bin/fls:
read
> > block read error (8192@2148171776):Success
> > which makes me think I that I am not closing the connection properly.
How do
> > people end the netcat session once the DD has reported all the data
blocks
> > that it has read?
>
> If dd reported now many records in and out it performed, then you
> can close the session by just doing a control-c.  You can also use
> the '-w' flag on the send side of nc to set a timeout and the
> connection will close after not getting any data for X seconds (it
> is broken on the windows version though):
>
> dd if=/dev/XYZ | nc -w 5 10.0.0.1 9000
>
>
> You can also verify the size of the image by going to 'File System
> Details' in Autopsy and multiplying the number of fragments and the
> fragment size.  That should be the same size as your image.
>
> It maybe just coincidence, but the byte offset in your error is
> around the 2GB large file limit.  Did your server support large
> files?
>
>
> > Also I see a lot of files that are in red which means that they are
deleted
> > but I all the files have a zero inode. Is it possible to recover deleted
> > files from a solaris partition?
>
> Solaris sets the inode pointer in the directory entry structures to 0
> when it deletes a file.  So, there is no mapping between the file name
> and the inode structure.  The inode structure itself has a bunch of
> fields zeroed, so it would do little good anyway (except give you the
> time it was deleted).
>
> brian
>


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Volker Tanger: "Re: DD -> Netcat NT Imaging"
Previous message: Seth Arnold: "Re: DD -> Netcat NT Imaging"
In reply to: Brian Carrier: "Re: DD -> Netcat NT Imaging"
Next in thread: Seth Arnold: "Re: DD -> Netcat NT Imaging"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 13 2002 - 04:51:57 PDT