This also happened on a file about 1 GB. I am using a linux 2.4.18 box as the file server. I wonder if it might have something to do with bs=512? I am running a test at the moment from another linux box to see if I get the same kind of error Ian ----- Original Message ----- From: "Brian Carrier" <bcarrierat_private> To: "Ian Macdonald" <secforensicsat_private> Cc: "Estes, Matt CPR / FCBS" <Matt.Estesat_private>; <forensicsat_private> Sent: Thursday, September 12, 2002 12:52 PM Subject: Re: DD -> Netcat NT Imaging > Ian Macdonald (Thu, Sep 12, 2002 at 12:11:06PM -0400): > > > One problem I issue I have is I get this error /usr/local/task/bin/fls: read > > block read error (8192@2148171776):Success > > which makes me think I that I am not closing the connection properly. How do > > people end the netcat session once the DD has reported all the data blocks > > that it has read? > > If dd reported now many records in and out it performed, then you > can close the session by just doing a control-c. You can also use > the '-w' flag on the send side of nc to set a timeout and the > connection will close after not getting any data for X seconds (it > is broken on the windows version though): > > dd if=/dev/XYZ | nc -w 5 10.0.0.1 9000 > > > You can also verify the size of the image by going to 'File System > Details' in Autopsy and multiplying the number of fragments and the > fragment size. That should be the same size as your image. > > It maybe just coincidence, but the byte offset in your error is > around the 2GB large file limit. Did your server support large > files? > > > > Also I see a lot of files that are in red which means that they are deleted > > but I all the files have a zero inode. Is it possible to recover deleted > > files from a solaris partition? > > Solaris sets the inode pointer in the directory entry structures to 0 > when it deletes a file. So, there is no mapping between the file name > and the inode structure. The inode structure itself has a bunch of > fields zeroed, so it would do little good anyway (except give you the > time it was deleted). > > brian > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Sep 13 2002 - 04:51:57 PDT