Re: problems cloning a hard drive with dcfldd



On Wed, Aug 6, 2008 at 3:14 PM, <DON.RAIKES@xxxxxxxxxx> wrote:
I am a newbie to this whole digital forensics world, and am having a problem cloning a hard drive.

Setup:
laptop with 40gb harddrive with 2 partitions. The laptop had/has windows xp on it, but it won't boot any longer.
desktop system running fedora 9 as my forensics lab machine.
fedora livecd containing dcfldd and some other tools.

Situation:
I boot the laptop using the livecd and login no problem.
I can see the hard drive as /dev/sda.

You might try pulling the drive out of the laptop and connecting it to
your PC directly using a USB external drive adapter. Mount the drive
on your forensics lab machine read-only and try acquiring the image
with dcfldd. You could also acquire the entire drive, rather than
individual partitions and then carve out the partitions from that
image, again using dcfldd. The Sleuthkit command mmls will display the
partition table information it finds in the image and you can feed
that information into dcfldd to carve out the partitions.

dcfldd if=/dev/sda1 conv=noerror,sync hash=md5 hashlog=md5.log | nc desktopsystem 1234 -w 3

Looks good to me. Have you tried specifying a blocksize via bs=?

All seems to be going just fine the netcat connection is made and dcfldd is displaying its progress.
However, at block 98513, I get an error from dcfldd saying:

error:/dev/sda1 input output error

and the whole process stops.

I have seen similar problems when trying to acquire using Helix and
USB mounted drives on laptops. I generally have better luck attaching
and mounting the drives in my forensic workstation.

Good luck.

--
Dave Hull