Bad blocks: Many (most?) modern disks have the ability to auto-map bad blocks I know that this works for SCSI disks, I presume that IDE disks are capable of doing the same. Bad blocks are also (as far as I can tell) relatively rare, these days. In any case, if the source machine recognizes a bad block as such, but lets some (dummy?) data through on the copy (rather than returning a fatal error), this shouldn't be a big problem -- since this is what the source machine would see on trying to read that block, and that is what you would like to then see on the clone. Sparse data: Just because blocks aren't allocated on a filesystem doesn't mean that there's no forensic data in them. Reasons for this can range from the benign (legitimately deleted files that are now of interest) through to forensically critical (hackers used 'dead' file space to hide data/programs). A hacker who knows a target FS/OS well enough to predict which blocks in a partition are unlikely to be allocated in the near future, could easily use that information to build a 'shadow' file system in such dead space. Using tar: Using tar to copy a file system doesn't produce very good results from a forensic point of view. a lot of potentially useful information is lost (I don't believe that tar saves ctime information, for example). As opposed to tar(1), dump(8 or 1) professes to work with some knowledge of the internals of the filesystem it is backing up. Doing a level 0 dump holds out *some* hope of preserving (possibly useful) filesystem data that tar would not -- but dump files would probably not (from what little I understand) be accepted as forensic proof in a criminal trial. Alvin Oga wrote: > hi ya > > > copying/cloning a 40GB disk to another 40GB or 60GB or 20GB is > a good problem... > -- most people assume that there is no bad block on the disks > when using DD to copy data ..... > -- dd also copies the entire partition if you do > dd if=/dev/hda1 of=/dev/hdc1 > > if the partition is 90% full or fully utilized, it makes sense > for dd ... if on the other hand you had 10% used partitions, ..... > -- use tar to clone ... you get a safe copy/clone of the master -- Stephen Samuel +1(604)876-0426 samuelat_private http://www.bcgreen.com/~samuel/ Powerful committed communication, reaching through fear, uncertainty and doubt to touch the jewel within each person and bring it to life. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 15 2002 - 17:50:23 PDT