hi everybody, I need to dump a tape (created by ufsdump) using dd in to a temporary filesystem (a single file). The platform is SunOS5.9. The command I...
1916
nikkel@...
Feb 9, 2006 2:34 pm
... Alfredo, That error may have something to do with the block size. Try specifying a block size like 64k or 128k: # dd if=/dev/rmt/0 of=/home/export/temp.dd...
1917
Stuart Bird
e_tective
Feb 9, 2006 2:43 pm
Hi All
Bit of a vague question I know but I was wondering if there was an accepted minimum "dcfldd" command that people use when imaging hard discs.
I was...
1918
Nicholas Harbour
nicholasharbour
Feb 9, 2006 4:57 pm
For dealing with bad sectors and errors, use "conv=sync,noerror" always. That is the only switch that I would say HAS to be in every dd command that is used...
1919
Steve Gibson
sw_gibson
Feb 9, 2006 5:57 pm
You might also have to play with the block size setting on the tape drive itself if it isn't set to 0 (auto). You can find out what the hardware block size is...
1920
Blare Sutton
blare_sutton
Feb 9, 2006 10:37 pm
Stuart, I would agree with Nick (as most would, he being the author and all). A good base dcfldd command would be: dcfldd conv=sync,noerror if=/dev/hda...
1921
Gary Funck
garyfunck
Feb 10, 2006 12:04 am
... Solaris has a convenient command called 'tcopy', which copies a tape, but can also be used to list some info. about the contents of the tape, ...
1922
Gary Funck
garyfunck
Feb 10, 2006 12:05 am
Nicholas, do you have any plans to integrate the capabilities of dd_rescue into dcfldd? I think that would be a useful feature....
1923
Gary Funck
garyfunck
Feb 10, 2006 12:20 am
Here's a perl script I wrote a while back that attempts to first copy with at full speed and backs of to use block-by-block if errrors are found. CAVEAT...
1924
Nicholas Harbour
nicholasharbour
Feb 12, 2006 2:33 pm
I am looking in to it as we speak. If I am correct, the only advantages of dd_rescue are as follows (beyond what conv=sync,noerror provides): 1. The ability...
1925
Gary Funck
garyfunck
Feb 12, 2006 7:07 pm
... I would guess that with modern drives, which have their own elaborate internal error recovery, and with a Linux driver layered on top of that - that...
1926
Nicholas Harbour
nicholasharbour
Feb 13, 2006 12:02 am
... Without the ability to drop to a lower blocksize in case of read errors, the trade-off is to find lowest possible blocksize that will yield good...
1927
Blare Sutton
blare_sutton
Feb 13, 2006 6:47 am
... This makes a lot of sense, as does the equation you presented behind it. However, does this also mean that the hashwindow you use will impact the overall...
1928
Nicholas Harbour
nicholasharbour
Feb 13, 2006 11:37 pm
... The hashwindow size you pick should have no real affect on performance except for the added IO of writing out the potentially HUGE hashlog if your ...
1929
Gary Funck
garyfunck
Feb 13, 2006 11:58 pm
... hdparm has some options, which on the face of things look like they may affect performance: -a get/set fs readahead -A set drive read-lookahead flag...
1930
Francisco Pecorella
fpecorel
Feb 15, 2006 8:09 pm
Hi to all guys, Anyone knows some guidelines or examples about how to do forensics reports? I know that you must show all the steps that you did, how were the...
1931
vincent lemoine
moineau92
Feb 15, 2006 8:44 pm
Hi, look http://www.ojp.usdoj.gov/nij/pubs-sum/199408.htm (good guideline and examples) Best Regards Vincent Lemoine Policeman Officer Squad Forensics Unit ...
1932
Stevens R. Miller
bobhey2000
Feb 15, 2006 9:19 pm
Great guide and some impressive worksheets in Appendix C. A few thoughts from a lawyer, though: 1. Records help you remember what you did and, in a few cases,...
1933
suman
sumanadak
Feb 16, 2006 4:53 am
hi all, I am going to build a forensic software for PDA. Means WinCE,palm OS, Linux, Blackberry and some high end symbian OS based phone. I have done...
1934
suman
sumanadak
Feb 17, 2006 4:19 am
Hi bollix, Now i am building GUI for analysis in GTK+,GLADE, Anjuta IDE. I have just started now. If u see the paraben PDA forensic software which is for...
1935
Gary Funck
garyfunck
Feb 19, 2006 10:52 pm
... [...] ... Isn't 512 the default for regular old 'dd'? If dcfldd's default is different that dd's, I think it is important that the document (man page)...
1936
farmerduderl
Feb 20, 2006 4:44 am
... Yes. ... from human.c /* The default block size used for output. This number may change in the future as disks get larger. */ #ifndef DEFAULT_BLOCK_SIZE ...
1939
Gary Funck
garyfunck
Feb 23, 2006 5:53 pm
Interesting, lengthy, thread on the security focus forensics list: http://www.securityfocus.com/archive/104/425449/30/0/threaded The person who originally...
1940
ASR Data
asrdata
Feb 27, 2006 3:22 pm
My approach is to identify each sector that generates an error as well as the specific error. A checksum error simply means that either the data is unreliable...
1941
Michele Vetturi
mvetturi
Feb 27, 2006 4:20 pm
... Do you use the same approach also with disks with thousands of bad sectors? It sounds really tedious... :) ... -- mk...
1942
Stevens R. Miller
bobhey2000
Feb 27, 2006 4:46 pm
Very sensible approach. How much of that must be done manually? Can you automate it?...
1943
Gary Funck
garyfunck
Feb 27, 2006 9:10 pm
... Since your display name is ASR Data, when you say "my approach", do you mean the approach taken by some component of SMART, or just your own personal...
1944
Gary Funck
garyfunck
Feb 27, 2006 9:38 pm
Coming back to this. I'll offer a suggestion on what I think might be 'best practice'. First, by way of example, let's say that we used an imaging approach...
1946
greggmaynard
Mar 7, 2006 7:52 pm
I used dclfdd to create an image file from Knoppix (FoRK); how can I now analyse the file (or add as evidence) in enCase? Any thoughts? Thanks....
1947
Harry Duncan
usr.src.linux@...
Mar 7, 2006 8:06 pm
... Really depends on what version of linux you are running enCase on. Please confirm. Harry....
