Re: Using dd.exe to make forensic images of NTFS drives

From: crazytrain (subscribeat_private)
Date: Sun Aug 10 2003 - 12:37:55 PDT

Next message: Bojan Zdrnja: "RE: drive integrity check problems"

Previous message: Svein Yngvar Willassen: "file fragment analysis"
In reply to: Sakaba: "Using dd.exe to make forensic images of NTFS drives"
Next in thread: Reava, Jeffrey [IT/0200]: "RE: Using dd.exe to make forensic images of NTFS drives"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sakaba

which version of Autopsy are you using?  Older versions had limited/no
support for NTFS, so that *may* be the problem.

Quick question, isn't FIRE a Linux based bootable cd?  Therefore the
syntax would be;

dd if=/dev/target_partition | nc XXX.XXX.XXX.XXX port_number


Of course if it is a Win32 Bootable cd then strike my thought above!


When you run 'file ntfs.dd' in Linux on that created image file, what do
you see/get returned?  

If you're using a later version of Sleuthkit it supports NTFS, so there
is something else wrong.  I'd try again with the Linux nc syntax on a
tried and tested NTFS partition and try again.  Let us know which
version of Autopsy you're using.

farmerdude



On Sat, 2003-08-09 at 13:04, Sakaba wrote:
> Hi everyone,
> 
> I have tried time and time again to make images of my NTFS drives via the
> dd command in windows.
> I use the FIRE cd forensic shell on the windows box and:
> 
> dd.exe if=\\.\f: |nc.exe <forensic machine IP> <port>
> 
> On my linux box I run:
> 
> nc -l -p <port> |dd of=/home/user/ntfs.dd
> 
> That all works fine and it makes and transfers the file but then I try to
> add the file in autopsy and it tells me its not an NTFS image and
> consequently doesn't add it.
> 
> I tried conv=noerrors and I tried just dumping the file on the linux box
> without dd on the of= side.  I tried different NTFS partitions of different
> sizes as well.  My linux box has the NTFS support kernel mod and everything
> else about autopsy works fine.  Just these NTFS images.  I have no probs
> using dd with linux partitions at all.  I'd like to find a solution to this
> because commerical ware like Encase is outrageously expensive and dd is
> free making it perfect for my situation.
> 
> Thanks,
> Sakaba
> 
> 
> 
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
> 


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Bojan Zdrnja: "RE: drive integrity check problems"
Previous message: Svein Yngvar Willassen: "file fragment analysis"
In reply to: Sakaba: "Using dd.exe to make forensic images of NTFS drives"
Next in thread: Reava, Jeffrey [IT/0200]: "RE: Using dd.exe to make forensic images of NTFS drives"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 11 2003 - 12:30:31 PDT