On Wed, Apr 02, 2003 at 08:19:37AM +0200, Grega Bremec wrote: > ...and on Tue, Apr 01, 2003 at 08:31:10AM -0800, Sabol, Paul used the keyboard: > You should check out the partition table using "fdisk -l /dev/hdc", > then "dd if=/dev/hdc1 ..." if the NTFS partition is the first and/or > the only one on that disk, or use the corresponding partition number. Paul, I agree that you likely grabbed the entire disk instead of the partitions. I wrote an article in the last Sleuth Kit Informer about extracting partitions from a disk image using 'dd' and 'fdisk' that provides more info on doing this on a Linux system. http://www.sleuthkit.org/informer/sleuthkit-informer-2.html#split http://sleuthkit.sourceforge.net/informer/sleuthkit-informer-2.html#split brian ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Apr 02 2003 - 07:54:47 PST