RE: How to DD NTFS?

From: Timothy Poole (tpooleat_private)
Date: Thu Jan 02 2003 - 05:01:11 PST

Next message: Susan Chan Lee: "How to DD NTFS?"

Previous message: Matt: "RE: How to DD NTFS?"
Next in thread: Golomb, Gary: "RE: How to DD NTFS?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Susan-

DD doesn't care what filesysytem is on the device you are imaging.  Point it
either at the raw device or the partition in question and image away.

Linux does support NTFS but (at least in Red Hat's case) the ntfs.o module
is not installed by default.  You can reconfigure your kernel and recompile
to add the support.  Once you have done that, do an "insmod ntfs" then
specify "-t ntfs" in your mount command.

The linux ntfs drivers are the result of many hours of hard work and reverse
engineering (prompting the current MS lawsuit), however I have personally
seen it miss information on a drive.  DD imaged the drive fine, but the NTFS
driver did not display certain directories, etc.  Therefore you may want to
verify any critical findings with another technique, and do a cursory check
with another tool just to make sure you haven't inadvertently missed
anything.

I hope this helps,

Timothy Poole, RHCE

-----Original Message-----
From: Susan Chan Lee [mailto:susan.leeat_private]
Sent: Thursday, January 02, 2003 6:31 AM
To: forensicsat_private
Subject: How to DD NTFS?


Hi - Happy New Year to All.

We all know how to dd a Ext2,3 Fat filesystems from Linux, but can
anyone advise how to dd a NTFS partition. My question is 2 fold:

1. From Linux, I am unable to mount the NTFS partitions, so how do I
know which /dev/hda* is NTFS etc..
2. If I make a guess and dd /dev/hda4 (which happens to NTFS), how to
mount later? As Linux does not recognise NTFS
3. Any suggestions how to dd NTFS when the system does not have Linux
installed, nor do you want to install Linux (or any UNIX for that
matter)

Thanks for any help
Susan Chan Lee



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com




-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Susan Chan Lee: "How to DD NTFS?"
Previous message: Matt: "RE: How to DD NTFS?"
Next in thread: Golomb, Gary: "RE: How to DD NTFS?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 18:52:58 PST