dd file size limit ...
 
Notifications
Clear all

dd file size limit exceeded

10 Posts
7 Users
0 Likes
1,300 Views
(@sjors)
Posts: 18
Active Member
Topic starter
 

I'm still at the basics of forensics and i'm trying to make an forensic copy from a virtual machine. My setup is

Backtrack vmware image
vmware image (suspect) (hda1)
extern hdd (hdb1)

I load the backtrack vm, then add an extra hdd in the settings and link it to the suspect image.

When I finally try to make an dd with the following command

dd if=/dev/hda of=/mnt/hdb1/susanne.dd conv=notrunc,noerror,sync

Though when I reach 4gb I get the error "file size limit exceeded" this is probably because the extern hdd has FAT, I tried to do it with NTFS but backtrack isn't allowed to write on it.

I still wanne dd the entire disk (16gb) but it seems it can't be done as 1 part, so I need to split it up. Though I have looked into the basic information of dd on this site but didn't get exactly what to do. could someone link an example of what I should do? my last question is how can I show/compare md5sum from the suspect disk if it will be cut in different parts?

 
Posted : 17/12/2008 11:10 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Two things

1. Why not pipe dd through split?

2. Why not open the vmdk file in FTK Imager and image it that way?

 
Posted : 17/12/2008 11:49 pm
(@celeryman)
Posts: 13
Active Member
 

FAT can't handle file sizes over 4GB, although I'm not sure if this is the problem. But I'm with keydet…just use FTK Imager.

 
Posted : 18/12/2008 1:04 am
(@sjors)
Posts: 18
Active Member
Topic starter
 

I know that is easier, but just wanne know a way to do it from linux.
but I keep looking further )

 
Posted : 18/12/2008 1:22 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

well, first off, if all you have is a Linux boot CD, maybe you should have someone else respond.

To your original question, though…try piping the output of dd through split
http//pc-eye.blogspot.com/2008/02/linux-basics.html

 
Posted : 18/12/2008 2:11 am
(@adamd)
Posts: 46
Eminent Member
 

Are you using the ntfs-3g driver to mount the ntfs drive?

The standard kernel driver for NTFS is read only.

 
Posted : 18/12/2008 3:19 am
bshavers
(@bshavers)
Posts: 210
Estimable Member
 

If you decide to try Windows instead of Linux, there are some suggestions in here http//www.forensicfocus.com/downloads/virtual-machines-forensics-analysis.pdf

If you want to use Linux and have a problem with getting DD to work, you can always use any of the various other Linux tools available, such as Linen or the some of the imaging utilities on Helix, which you can boot the vm directly to the CD and image it (provided you have an attached destination drive). Using Linux, you have to be aware of the limitations of file systems that aren't based on Linux.

And I vote with the others…FTK Imager is wonderful app for many reasons, including taking care of your MD5 question )

 
Posted : 18/12/2008 4:33 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Excellent paper, Brett!

 
Posted : 18/12/2008 7:39 am
(@athulin)
Posts: 1156
Noble Member
 

I still wanne dd the entire disk (16gb) but it seems it can't be done as 1 part, so I need to split it up. Though I have looked into the basic information of dd on this site but didn't get exactly what to do. could someone link an example of what I should do? my last question is how can I show/compare md5sum from the suspect disk if it will be cut in different parts?

For a hint, look at the description of 'skip=' in the dd man page. Or, as already noticed, use split instead.

If you md5sum the whole disk, then you need to cat(1) the parts together in the right order before you md5sum them again. As you are going to cat them together anyhow, wait until then.

 
Posted : 18/12/2008 5:45 pm
mstew
(@mstew)
Posts: 6
Active Member
 

Try this for dd;

dd if=/dev/hd[target] conv=noerror,sync bs=64k | split =b 2000m - /mnt/image_folder/image_name.dd.

Try this for dcfldd;
Physical
dcfldd if=/dev/hd[TARGET] conv=noerror,sync bs=64k hashwindow=0 hashlog=/mnt/test/hash.md5 hash=stream.dd.md5 | split -b 2000m - /mnt/test/image_folder/image_name.dd.
Logical
dcfldd if=/dev/hd[TARGET][PARTITION] conv=noerror,sync bs=64k hashwindow=0 hashlog=/mnt/test/hash.md5 hash=stream.dd.md5 | split -b 2000m - /mnt/test/image_folder/image_name.dd.

make sure you have the period at the end of the image _name.dd.

ms

 
Posted : 18/12/2008 6:02 pm
Share: