Hi Don,

I think it's bit too late for this reply. But you can find whether DD
is failing or DD is failing due to NC failure if you look at the
PIPESTATUS envar from bash.

Kosala

On Wed, Aug 6, 2008 at 11:14 PM, <DON.RAIKES (at) oracle (dot) com [email concealed]> wrote:
> Hello,
>
> I am a newbie to this whole digital forensics world, and am having a problem cloning a hard drive.
>
> Setup:
> laptop with 40gb harddrive with 2 partitions. The laptop had/has windows xp on it, but it won't boot any longer.
> desktop system running fedora 9 as my forensics lab machine.
> fedora livecd containing dcfldd and some other tools.
>
> Situation:
> I boot the laptop using the livecd and login no problem.
> I can see the hard drive as /dev/sda.
>
> Both systems are connected to my local network.
>
> I want to make a clone of the laptop harddrive so that I can use it to learn some of the forensic tools available like sleuthkit mac-robber etc.
>
> Steps:
> on desktop: start netcat in listening mode port 1234
> on laptop run:
> dcfldd if=/dev/sda1 conv=noerror,sync hash=md5 hashlog=md5.log | nc desktopsystem 1234 -w 3
>
> All seems to be going just fine the netcat connection is made and dcfldd is displaying its progress.
> However, at block 98513, I get an error from dcfldd saying:
>
> error:/dev/sda1 input output error
>
> and the whole process stops.
>
> I tried:
> $ dcfldd if=/dev/sda1 of=/dev/null conv=noerror,sync
>
> and it processed the entire 34gb without an error.
>
> Any suggestions would be appreciated for how to get this drive cloned.
>

--
Kosala
--------------------------------------------
Disclaimer: Views expressed in this mail are my personal views and
they would not reflect views of the employer.
--------------------------------------------
blog.kosala.net
www.linux.lk/~kosala/
www.kosala.net

[ reply ]