[clug] Simple computer forensics?

Rodney Peters rpeters at pcug.org.au
Thu Oct 13 23:19:41 GMT 2005

I have cloned a working Win98 on FAT using the command suggested by Leigh.  
Purpose was a backup, prior to conversion to FAT32.   The target disk was a 
few kB smaller, so I de-fragged the partition first, then dd only the number 
of sectors available on the target by including the count= parameter.  

If you just want a backup, then partimage will give you a compressed image of 
most partition types, including NTFS, HPFS, FAT as well as the common Linux 
types.  Advantage of this tool is that it produces a .gz file, which might be 
restorable by other means.  I've successfully restored an NTFS partition to a 
PC and it worked OK.


On Thursday 13 October 2005 22:00, linux-request at lists.samba.org wrote:
> Re: [clug] Simple computer forensics?
> From:
> Red Phoenix <intersect at gmail.com>
>   To:
> Michael James <Michael.James at csiro.au>
>   CC:
> linux at lists.samba.org
>   Date:
> Yesterday 15:44:58
> G'day Michael,
> On Thu, 2005-10-13 at 15:17 +1000, Michael James wrote:
> Know a good dd command to clone a disk?
> (Don't know if it's FAT or NTFS)
> The good news is that the format won't matter.
> As long as the source & target disks are IDENTICAL in all respects, or the
> target disk is larger than the source, the following command should provide
> you with what you're after.
> Assuming that the 'source' drive is /dev/hda, and the 'target' drive is
> '/dev/hdb', you can just:
> # dd if=/dev/hda of=/dev/hdb
> .. to clone a disk.
> (note: make sure you don't use /dev/hda[number] (eg: /dev/hda1) - as this
> won't grab the master boot record, whereas the command above, will).
> The method above is pretty slow usually, so we generally need to delve into
> the dd options a little to speed it up.
> The optimal block size is a little tough to determine, but for most modern
> IDE drives, 8k should be about right. Using an 8k block size, should speed
> up the process a bit for you. So:
> # dd if=/dev/hda of=/dev/hdb bs=8k
> .. make sure you verify that hda is definitely the source, and hdb is
> definitely the target. :)
>  Can a suspect windows PC
>  be comprehensively checked for malware,
>  or is re-building the only sure path?
> Yes and no. It can only really be comprehensively evaluated, when you have
> a 'known clean snapshot' image to compare against. Otherwise, you'll have
> some risk that you'll have a few hangers on. The combination of ad-aware,
> spybot search & destroy, and an up-to-date virus checker, may reduce the
> likelihood of problems to an acceptable level for you though.
> Good luck with the cleanout.
> Regards,
> Leigh.
>  TIA,
> michaelj
> --
> Michael James                         michael.james at csiro.au
> System Administrator                    voice:  02 6246 5040
> CSIRO Bioinformatics Facility             fax:  02 6246 5166
> No matter how much you pay for software,
>  you always get less than you hoped.
> Unless you pay nothing, then you get more.
>   --
> Leigh Purdie, Director - InterSect Alliance Pty Ltd
> http://www.intersectalliance.com/

More information about the linux mailing list