Susan- DD doesn't care what filesysytem is on the device you are imaging. Point it either at the raw device or the partition in question and image away. Linux does support NTFS but (at least in Red Hat's case) the ntfs.o module is not installed by default. You can reconfigure your kernel and recompile to add the support. Once you have done that, do an "insmod ntfs" then specify "-t ntfs" in your mount command. The linux ntfs drivers are the result of many hours of hard work and reverse engineering (prompting the current MS lawsuit), however I have personally seen it miss information on a drive. DD imaged the drive fine, but the NTFS driver did not display certain directories, etc. Therefore you may want to verify any critical findings with another technique, and do a cursory check with another tool just to make sure you haven't inadvertently missed anything. I hope this helps, Timothy Poole, RHCE -----Original Message----- From: Susan Chan Lee [mailto:susan.leeat_private] Sent: Thursday, January 02, 2003 6:31 AM To: forensicsat_private Subject: How to DD NTFS? Hi - Happy New Year to All. We all know how to dd a Ext2,3 Fat filesystems from Linux, but can anyone advise how to dd a NTFS partition. My question is 2 fold: 1. From Linux, I am unable to mount the NTFS partitions, so how do I know which /dev/hda* is NTFS etc.. 2. If I make a guess and dd /dev/hda4 (which happens to NTFS), how to mount later? As Linux does not recognise NTFS 3. Any suggestions how to dd NTFS when the system does not have Linux installed, nor do you want to install Linux (or any UNIX for that matter) Thanks for any help Susan Chan Lee ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 18:52:58 PST