Re: problems cloning a hard drive with dcfldd


Does the file system on the desktop drive have enough space and does it support files larger than 4GB? ext2 will not support a 34GB file. ext3 will. You might have to break the image into segments using the split option.

Ernst & Young

----- Original Message -----
Sent: 08/06/2008 04:14 PM
To: focus-linux <focus-linux@xxxxxxxxxxxxxxxxx>
Subject: problems cloning a hard drive with dcfldd


I am a newbie to this whole digital forensics world, and am having a problem cloning a hard drive.

laptop with 40gb harddrive with 2 partitions. The laptop had/has windows xp on it, but it won't boot any longer.
desktop system running fedora 9 as my forensics lab machine.
fedora livecd containing dcfldd and some other tools.

I boot the laptop using the livecd and login no problem.
I can see the hard drive as /dev/sda.

Both systems are connected to my local network.

I want to make a clone of the laptop harddrive so that I can use it to learn some of the forensic tools available like sleuthkit mac-robber etc.

on desktop: start netcat in listening mode port 1234
on laptop run:
dcfldd if=/dev/sda1 conv=noerror,sync hash=md5 hashlog=md5.log | nc desktopsystem 1234 -w 3

All seems to be going just fine the netcat connection is made and dcfldd is displaying its progress.
However, at block 98513, I get an error from dcfldd saying:

error:/dev/sda1 input output error

and the whole process stops.

I tried:
$ dcfldd if=/dev/sda1 of=/dev/null conv=noerror,sync

and it processed the entire 34gb without an error.

Any suggestions would be appreciated for how to get this drive cloned.

Any U.S. tax advice contained in the body of this e-mail was not intended or written to be used, and cannot be used, by the recipient for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code or applicable state or local tax law provisions.
The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer.

Notice required by law: This e-mail may constitute an advertisement or solicitation under U.S. law, if its primary purpose is to advertise or promote a commercial product or service. You may choose not to receive advertising and promotional messages from Ernst & Young LLP (except for Ernst & Young Online and the website, which track e-mail preferences through a separate process) at this e-mail address by forwarding this message to no-more-mail@xxxxxxx If you do so, the sender of this message will be notified promptly. Our principal postal address is 5 Times Square, New York, NY 10036. Thank you. Ernst & Young LLP