I'm still at the basics of forensics and i'm trying to make an forensic copy from a virtual machine. My setup is
Backtrack vmware image
vmware image (suspect) (hda1)
extern hdd (hdb1)
I load the backtrack vm, then add an extra hdd in the settings and link it to the suspect image.
When I finally try to make an dd with the following command
dd if=/dev/hda of=/mnt/hdb1/susanne.dd conv=notrunc,noerror,sync
Though when I reach 4gb I get the error "file size limit exceeded" this is probably because the extern hdd has FAT, I tried to do it with NTFS but backtrack isn't allowed to write on it.
I still wanne dd the entire disk (16gb) but it seems it can't be done as 1 part, so I need to split it up. Though I have looked into the basic information of dd on this site but didn't get exactly what to do. could someone link an example of what I should do? my last question is how can I show/compare md5sum from the suspect disk if it will be cut in different parts?
Two things
1. Why not pipe dd through split?
2. Why not open the vmdk file in FTK Imager and image it that way?
FAT can't handle file sizes over 4GB, although I'm not sure if this is the problem. But I'm with keydet…just use FTK Imager.
I know that is easier, but just wanne know a way to do it from linux.
but I keep looking further )
well, first off, if all you have is a Linux boot CD, maybe you should have someone else respond.
To your original question, though…try piping the output of dd through split
http//
Are you using the ntfs-3g driver to mount the ntfs drive?
The standard kernel driver for NTFS is read only.
If you decide to try Windows instead of Linux, there are some suggestions in here http//www.forensicfocus.com/downloads/virtual-machines-forensics-analysis.pdf
If you want to use Linux and have a problem with getting DD to work, you can always use any of the various other Linux tools available, such as Linen or the some of the imaging utilities on Helix, which you can boot the vm directly to the CD and image it (provided you have an attached destination drive). Using Linux, you have to be aware of the limitations of file systems that aren't based on Linux.
And I vote with the others…FTK Imager is wonderful app for many reasons, including taking care of your MD5 question )
Excellent paper, Brett!
I still wanne dd the entire disk (16gb) but it seems it can't be done as 1 part, so I need to split it up. Though I have looked into the basic information of dd on this site but didn't get exactly what to do. could someone link an example of what I should do? my last question is how can I show/compare md5sum from the suspect disk if it will be cut in different parts?
For a hint, look at the description of 'skip=' in the dd man page. Or, as already noticed, use split instead.
If you md5sum the whole disk, then you need to cat(1) the parts together in the right order before you md5sum them again. As you are going to cat them together anyhow, wait until then.
Try this for dd;
dd if=/dev/hd[target] conv=noerror,sync bs=64k | split =b 2000m - /mnt/image_folder/image_name.dd.
Try this for dcfldd;
Physical
dcfldd if=/dev/hd[TARGET] conv=noerror,sync bs=64k hashwindow=0 hashlog=/mnt/test/hash.md5 hash=stream.dd.md5 | split -b 2000m - /mnt/test/image_folder/image_name.dd.
Logical
dcfldd if=/dev/hd[TARGET][PARTITION] conv=noerror,sync bs=64k hashwindow=0 hashlog=/mnt/test/hash.md5 hash=stream.dd.md5 | split -b 2000m - /mnt/test/image_folder/image_name.dd.
make sure you have the period at the end of the image _name.dd.
ms