On Mon, Oct 14, 2002 at 01:28:38AM -0700, Alvin Oga wrote: > -- am just saying dd is good for copying partitions that are mostly > full ... if the partition is 10% used... you'd be copying 90% of stuff > that is never needed/used ... and perhaps the idea of the forensics includes trying to discover files and their contents that have been deleted. tar(1) has its uses, dd(1) has its uses, and they sometimes overlap, sometimes not. > yup.... if one creates a file "this is a file" in foo.txt > > the remaining 500 bytes of the block is left unused ... lots of > room for hacking code to be piggy backed and undetected (It is often worse than this; filesystems such as ext2 will dedicate three more disk blocks to the file, even though the file doesn't yet need the blocks... some other unix filesystems can allocate disk block units for small files, but some "common wisdom" suggests that it isn't worth the extra filesystem code and special cases required to make it work...) > i do NOT know anybody that does a bad-block check on tehir disks > before they use it You can put me at the head of the list of people who run bad-block checks on their drives -- spending a few hours to try to populate the bad-block table with bad-blocks _before_ putting data on those blocks sounds like a reasonable enough use of time to me. Cheers -- http://sardonix.org/
This archive was generated by hypermail 2b30 : Mon Oct 14 2002 - 10:42:39 PDT