±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 32923
New Yesterday: 6 Visitors: 188

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Use dd with compression, please advise

Computer forensics training and education issues. If you are looking for topic suggestions for your project, thesis or dissertation please post here rather than the general discussion forum.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2 
  

Re: Use dd with compression, please advise

Post Posted: Wed Oct 11, 2017 5:03 am

Hi,

Just removing the 'noerror' option works like a charm...I had no problem storing file, and no problem restoring..

This is the 'formula' I've used, drive where "z:" is a mapped network drive

dd -v if=\\.\Physicaldrive0 of=z:\myfile.img conv=comp --localwrt
dd -v if=z:\myfile.img.gz of=\\.\Physicaldrive0 conv=decomp --localwrt

This 'dd' is quicker than using a combination of dd + 7zip, specially for restore times

Best Regards  

pmico
Newbie
 
 
  

Re: Use dd with compression, please advise

Post Posted: Wed Oct 11, 2017 9:00 am

- pmico
Hi,

Just removing the 'noerror' option works like a charm...I had no problem storing file, and no problem restoring..


Hmmm. Confused
It may depend on situations, the \\.\PhysicalDrive0 normally is the boot disk and as such is in use, it would be needed to know your exact configuration and the exact OS involved to be sure (if you booted from a PE of some kind based on 7 or later then probably the \\.\PhysicalDrive0 is accessible just fine anyway as it contains no boot/system volumes and the PE is boored from CD/DVD or from a USB stick that becomes \\.\Physicaldrive1, and besides GPT disks may behave differently from MBR).

Still, JFYI, what you tested is not a confirmation of *anything*.

Mind you not that it didn't work (most probably it did Smile ) only your testing procedure does not guarantee it worked.

The procedure should be:
1) make a dd image of the physicaldrive
2) make some changes to the physicaldrive contents (or wipe it)
3) restore the dd image taken in #1
4) make a new dd image of the physicaldrive
5) compare the images in #1 and #4

- pmico

dd -v if=\\.\Physicaldrive0 of=z:\myfile.img conv=comp --localwrt
dd -v if=z:\myfile.img.gz of=\\.\Physicaldrive0 conv=decomp --localwrt


In the first line the --localwrt should not be needed.


jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 

Page 2 of 2
Go to page Previous  1, 2