Re: problems cloning a hard drive with dcfldd


Does the file system on the desktop drive have enough space and does it support files larger than 4GB? ext2 will not support a 34GB file. ext3 will. You might have to break the image into segments using the split option.

----- Original Message -----
Sent: 08/06/2008 04:14 PM
To: focus-linux <focus-linux@xxxxxxxxxxxxxxxxx>
Subject: problems cloning a hard drive with dcfldd


I am a newbie to this whole digital forensics world, and am having a problem cloning a hard drive.

laptop with 40gb harddrive with 2 partitions. The laptop had/has windows xp on it, but it won't boot any longer.
desktop system running fedora 9 as my forensics lab machine.
fedora livecd containing dcfldd and some other tools.

I boot the laptop using the livecd and login no problem.
I can see the hard drive as /dev/sda.

Both systems are connected to my local network.

I want to make a clone of the laptop harddrive so that I can use it to learn some of the forensic tools available like sleuthkit mac-robber etc.

on desktop: start netcat in listening mode port 1234
on laptop run:
dcfldd if=/dev/sda1 conv=noerror,sync hash=md5 hashlog=md5.log | nc desktopsystem 1234 -w 3

All seems to be going just fine the netcat connection is made and dcfldd is displaying its progress.
However, at block 98513, I get an error from dcfldd saying:

error:/dev/sda1 input output error

and the whole process stops.

I tried:
$ dcfldd if=/dev/sda1 of=/dev/null conv=noerror,sync

and it processed the entire 34gb without an error.

Any suggestions would be appreciated for how to get this drive cloned.

