RE: problems cloning a hard drive with dcfldd



Thanks, pulling the harddrive and attaching it directly to my forensics machine was going to be my next step.

-----Original Message-----
From: Dave Hull [mailto:dphull@xxxxxxxxxxxxxxxxx]
Sent: Thursday, August 07, 2008 10:38 AM
To: DON.RAIKES@xxxxxxxxxx
Cc: focus-linux
Subject: Re: problems cloning a hard drive with dcfldd


On Wed, Aug 6, 2008 at 3:14 PM, <DON.RAIKES@xxxxxxxxxx> wrote:
I am a newbie to this whole digital forensics world, and am having a problem cloning a hard drive.

Setup:
laptop with 40gb harddrive with 2 partitions. The laptop had/has windows xp on it, but it won't boot any longer.
desktop system running fedora 9 as my forensics lab machine.
fedora livecd containing dcfldd and some other tools.

Situation:
I boot the laptop using the livecd and login no problem.
I can see the hard drive as /dev/sda.

You might try pulling the drive out of the laptop and connecting it to
your PC directly using a USB external drive adapter. Mount the drive
on your forensics lab machine read-only and try acquiring the image
with dcfldd. You could also acquire the entire drive, rather than
individual partitions and then carve out the partitions from that
image, again using dcfldd. The Sleuthkit command mmls will display the
partition table information it finds in the image and you can feed
that information into dcfldd to carve out the partitions.

dcfldd if=/dev/sda1 conv=noerror,sync hash=md5 hashlog=md5.log | nc desktopsystem 1234 -w 3

Looks good to me. Have you tried specifying a blocksize via bs=?

All seems to be going just fine the netcat connection is made and dcfldd is displaying its progress.
However, at block 98513, I get an error from dcfldd saying:

error:/dev/sda1 input output error

and the whole process stops.

I have seen similar problems when trying to acquire using Helix and
USB mounted drives on laptops. I generally have better luck attaching
and mounting the drives in my forensic workstation.

Good luck.

--
Dave Hull



Relevant Pages

  • Re: problems cloning a hard drive with dcfldd
    ... laptop with 40gb harddrive with 2 partitions. ... The laptop had/has windows xp on it, but it won't boot any longer. ... fedora livecd containing dcfldd and some other tools. ... USB mounted drives on laptops. ...
    (Focus-Linux)
  • Re: problems cloning a hard drive with dcfldd
    ... laptop with 40gb harddrive with 2 partitions. ... The laptop had/has windows xp on it, but it won't boot any longer. ... fedora livecd containing dcfldd and some other tools. ... USB mounted drives on laptops. ...
    (Focus-Linux)
  • Re: [Full-disclosure] Forensic help?
    ... Use dcfldd for drive ... >> imaging and the forensics tools for recovery of erased files and the like. ... I can not swap drives. ... the disk - which includes everything on the disk, ...
    (Full-Disclosure)
  • Re: [SOLVED] Is squeeze compatible with WD20EARS and other 2TB drives?
    ... EARS/EADS models and similar "Advanced Format" hard drives may benefit. ... the second issue: the hardware/logical sector alignment. ... that it cant't align the partitions. ... MB/s, while rsync reported speeds of up to 51MB/S. ...
    (Debian-User)
  • [SOLVED] Is squeeze compatible with WD20EARS and other 2TB drives?
    ... I am giving feedback to the list so that future purchasers of Western Digital WD EARS/EADS models and similar "Advanced Format" hard drives may benefit. ... the second issue: the hardware/logical sector alignment. ... Be as it may, I then proceeded to use the new partitions created by GParted, doing some cursory "benchmarks". ... The typical copy speed reached in mc was about 20 MB/s, while rsync reported speeds of up to 51MB/S. ...
    (Debian-User)