[clug] Simple computer forensics?

Red Phoenix intersect at gmail.com
Thu Oct 13 05:44:58 GMT 2005

G'day Michael,

On Thu, 2005-10-13 at 15:17 +1000, Michael James wrote:

Know a good dd command to clone a disk?
(Don't know if it's FAT or NTFS)

The good news is that the format won't matter.
As long as the source & target disks are IDENTICAL in all respects, or the
target disk is larger than the source, the following command should provide
you with what you're after.

Assuming that the 'source' drive is /dev/hda, and the 'target' drive is
'/dev/hdb', you can just:

# dd if=/dev/hda of=/dev/hdb
.. to clone a disk.

(note: make sure you don't use /dev/hda[number] (eg: /dev/hda1) - as this
won't grab the master boot record, whereas the command above, will).

The method above is pretty slow usually, so we generally need to delve into
the dd options a little to speed it up.

The optimal block size is a little tough to determine, but for most modern
IDE drives, 8k should be about right. Using an 8k block size, should speed
up the process a bit for you. So:

# dd if=/dev/hda of=/dev/hdb bs=8k

.. make sure you verify that hda is definitely the source, and hdb is
definitely the target. :)

 Can a suspect windows PC
 be comprehensively checked for malware,
 or is re-building the only sure path?

Yes and no. It can only really be comprehensively evaluated, when you have a
'known clean snapshot' image to compare against. Otherwise, you'll have some
risk that you'll have a few hangers on. The combination of ad-aware, spybot
search & destroy, and an up-to-date virus checker, may reduce the likelihood
of problems to an acceptable level for you though.

Good luck with the cleanout.




Michael James                         michael.james at csiro.au
System Administrator                    voice:  02 6246 5040
CSIRO Bioinformatics Facility             fax:  02 6246 5166

No matter how much you pay for software,
 you always get less than you hoped.
Unless you pay nothing, then you get more.

Leigh Purdie, Director - InterSect Alliance Pty Ltd

More information about the linux mailing list