Re: problems cloning a hard drive with dcfldd



On Wed, Aug 6, 2008 at 3:14 PM, <DON.RAIKES@xxxxxxxxxx> wrote:
I am a newbie to this whole digital forensics world, and am having a problem cloning a hard drive.

Setup:
laptop with 40gb harddrive with 2 partitions. The laptop had/has windows xp on it, but it won't boot any longer.
desktop system running fedora 9 as my forensics lab machine.
fedora livecd containing dcfldd and some other tools.

Situation:
I boot the laptop using the livecd and login no problem.
I can see the hard drive as /dev/sda.

You might try pulling the drive out of the laptop and connecting it to
your PC directly using a USB external drive adapter. Mount the drive
on your forensics lab machine read-only and try acquiring the image
with dcfldd. You could also acquire the entire drive, rather than
individual partitions and then carve out the partitions from that
image, again using dcfldd. The Sleuthkit command mmls will display the
partition table information it finds in the image and you can feed
that information into dcfldd to carve out the partitions.

dcfldd if=/dev/sda1 conv=noerror,sync hash=md5 hashlog=md5.log | nc desktopsystem 1234 -w 3

Looks good to me. Have you tried specifying a blocksize via bs=?

All seems to be going just fine the netcat connection is made and dcfldd is displaying its progress.
However, at block 98513, I get an error from dcfldd saying:

error:/dev/sda1 input output error

and the whole process stops.

I have seen similar problems when trying to acquire using Helix and
USB mounted drives on laptops. I generally have better luck attaching
and mounting the drives in my forensic workstation.

Good luck.

--
Dave Hull



Relevant Pages

  • Re: problems cloning a hard drive with dcfldd
    ... laptop with 40gb harddrive with 2 partitions. ... The laptop had/has windows xp on it, but it won't boot any longer. ... fedora livecd containing dcfldd and some other tools. ... USB mounted drives on laptops. ...
    (Focus-Linux)
  • Re: Major Startup Problems
    ... tried making a new set of setup diskettes using my only laptop with a floppy ... but no floppy drives; ... My two physical drives pass. ... drive has four partitions, with the old C becoming D, D becoming E and E ...
    (microsoft.public.win2000.general)
  • Re: Major Startup Problems
    ... tried making a new set of setup diskettes using my only laptop with a floppy ... but no floppy drives; ... My two physical drives pass. ... drive has four partitions, with the old C becoming D, D becoming E and E ...
    (microsoft.public.win2000.general)
  • RE: problems cloning a hard drive with dcfldd
    ... pulling the harddrive and attaching it directly to my forensics machine was going to be my next step. ... laptop with 40gb harddrive with 2 partitions. ... fedora livecd containing dcfldd and some other tools. ... USB mounted drives on laptops. ...
    (Focus-Linux)
  • MultiBoot attempt - vista wont install
    ... Dell M1330 Laptop, 160gb drive. ... Most partitions have been cleaned up, ... sda3 - linux boot ... I read numerous posts about people unplugging the spare drives, ...
    (microsoft.public.windows.vista.installation_setup)