[clug] Simple computer forensics?
rpeters at pcug.org.au
Thu Oct 13 23:19:41 GMT 2005
I have cloned a working Win98 on FAT using the command suggested by Leigh.
Purpose was a backup, prior to conversion to FAT32. The target disk was a
few kB smaller, so I de-fragged the partition first, then dd only the number
of sectors available on the target by including the count= parameter.
If you just want a backup, then partimage will give you a compressed image of
most partition types, including NTFS, HPFS, FAT as well as the common Linux
types. Advantage of this tool is that it produces a .gz file, which might be
restorable by other means. I've successfully restored an NTFS partition to a
PC and it worked OK.
On Thursday 13 October 2005 22:00, linux-request at lists.samba.org wrote:
> Re: [clug] Simple computer forensics?
> Red Phoenix <intersect at gmail.com>
> Michael James <Michael.James at csiro.au>
> linux at lists.samba.org
> Yesterday 15:44:58
> G'day Michael,
> On Thu, 2005-10-13 at 15:17 +1000, Michael James wrote:
> Know a good dd command to clone a disk?
> (Don't know if it's FAT or NTFS)
> The good news is that the format won't matter.
> As long as the source & target disks are IDENTICAL in all respects, or the
> target disk is larger than the source, the following command should provide
> you with what you're after.
> Assuming that the 'source' drive is /dev/hda, and the 'target' drive is
> '/dev/hdb', you can just:
> # dd if=/dev/hda of=/dev/hdb
> .. to clone a disk.
> (note: make sure you don't use /dev/hda[number] (eg: /dev/hda1) - as this
> won't grab the master boot record, whereas the command above, will).
> The method above is pretty slow usually, so we generally need to delve into
> the dd options a little to speed it up.
> The optimal block size is a little tough to determine, but for most modern
> IDE drives, 8k should be about right. Using an 8k block size, should speed
> up the process a bit for you. So:
> # dd if=/dev/hda of=/dev/hdb bs=8k
> .. make sure you verify that hda is definitely the source, and hdb is
> definitely the target. :)
> Can a suspect windows PC
> be comprehensively checked for malware,
> or is re-building the only sure path?
> Yes and no. It can only really be comprehensively evaluated, when you have
> a 'known clean snapshot' image to compare against. Otherwise, you'll have
> some risk that you'll have a few hangers on. The combination of ad-aware,
> spybot search & destroy, and an up-to-date virus checker, may reduce the
> likelihood of problems to an acceptable level for you though.
> Good luck with the cleanout.
> Michael James michael.james at csiro.au
> System Administrator voice: 02 6246 5040
> CSIRO Bioinformatics Facility fax: 02 6246 5166
> No matter how much you pay for software,
> you always get less than you hoped.
> Unless you pay nothing, then you get more.
> Leigh Purdie, Director - InterSect Alliance Pty Ltd
More information about the linux