The problem may be due to windows locking certain files (Master File Table, etc.) and dd isn't able to copy them. At startup MS writes a signature to the subject drive, so you won't have the proof the original drive hasn't changed since you first received it. Why not use the linux side of F.I.R.E. for imaging, or pull the drive from the subject machine and plug it into your forensic box -- the difference in speed can be worth the hassle. A 20 gig drive that took about 6 hrs via "nc | .. " took just over 90 minutes using IDE. Better yet, the subject drive is never mounted by the OS so an md5sum of the original disk will match an md5sum of the image. Jeff -----Original Message----- From: Sakaba [mailto:Sakabaat_private] Sent: Saturday, August 09, 2003 1:05 PM To: forensicsat_private Subject: Using dd.exe to make forensic images of NTFS drives Hi everyone, I have tried time and time again to make images of my NTFS drives via the dd command in windows. I use the FIRE cd forensic shell on the windows box and: dd.exe if=\\.\f: |nc.exe <forensic machine IP> <port> On my linux box I run: nc -l -p <port> |dd of=/home/user/ntfs.dd That all works fine and it makes and transfers the file but then I try to add the file in autopsy and it tells me its not an NTFS image and consequently doesn't add it. I tried conv=noerrors and I tried just dumping the file on the linux box without dd on the of= side. I tried different NTFS partitions of different sizes as well. My linux box has the NTFS support kernel mod and everything else about autopsy works fine. Just these NTFS images. I have no probs using dd with linux partitions at all. I'd like to find a solution to this because commerical ware like Encase is outrageously expensive and dd is free making it perfect for my situation. Thanks, Sakaba ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com This communication is intended solely for the use of the addressee and may contain information that is legally privileged, confidential or exempt from disclosure. If you are not the intended recipient, please note that any dissemination, distribution, or copying of this communication is strictly prohibited. Anyone who receives this message in error should notify the sender immediately and delete it from his or her computer. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Aug 11 2003 - 12:23:35 PDT