If I were given a 60GB hard disk from a laptop which has only 15GB allocated for the OS and the user data, then what will be the size of the DD image?
Will DD create the image of the 60GB or only 15GB?
I am trying to figure out the size of the extra disks that I may need to buy. Some computers have 300 GB disks. In corporate environment the disk size is in the terrabytes. I want to be able to capture all the data.
Thank you for any input.
DD will image the whole disk from start to finish.
You can select to only do a certain byte count but I would definitely not recommend doing this as unused disk space could still contain data from a prior partition.
If this were a legal case, I'd follow CaptainF's advice to the letter. If this is an incident response case and there's no chance of going to court or an internal use event, you can pipe the output of dd to compress and save some space. While this is a sound process and should be acceptable to the courts as well, explaining anything to a jury can be problematic. It's just not worth the few bucks to make saving the space worth it.
Depends on how you run dd really …
Assuming you are looking under Linux, you will have a disk of /dev/sda for example, then partitions of /dev/sda1, /dev/sda2 etc. So if you image the whole disk ( /dev/sda ) then you'll get 60GB, if you only image /dev/sda1 then you'll get 15GB.
You really want to get it all …
I was afraid of that (in a way). It is true that there may be data elsewhere on the disk to accurately do the media analysis.
How long does DD take to create a 300GB disk image? (example question. an approximate answer would be fine)
Thank you everyone for your input!
kleanchap,
'dd' will do what you tell it to do, nothing more, nothing less.
If you use syntax to acquire the physical device, that is what 'dd' will attempt to read in and write out.
If you use syntax to acquire the logical partition, that is what 'dd' will attempt to read in and write out.
With respect to speed, there are many variables that directly and indirectly affect the throughput. Without knowing your specs for the system(s) involved everything would be speculation.
Ask yourself, what variables directly affect the throughput? What variables indirectly affect the throughput?
Cheers!
farmerdude
http//
http//
I was afraid of that (in a way). It is true that there may be data elsewhere on the disk to accurately do the media analysis.
I would say that this is a judgement call more than anything. It is true that an image of the entire drive leaves no stone unuturned. But when you start talking about drive capacities approaching a terabyte and RAID arrays of almost any size, an image of the logical device may be all that is practical or necessary.
Part of the decision as to what to do (when there are practical considerations), involves understanding the likelihood that the device may have been repartitioned or that the user had the ability to write to areas outside the file system.
Accurately estimating where to focus your efforts can be essential if you are under time constraints with respect to production or if the cost is prohibitively expensive.
I mention this only because there are few lasting absolutes in computer forensics. Not that long ago, "pull the plug" was the "standard" practice for seizing computer evidence. It isn't that simple, anymore.
Similarly, imaging a couple of terabytes may simply not be the best use of the investigator's time (and the client's money), if a targeted search is possibly and likely to be productive.
By all means, image the entire device if you are under no constraints. But don't, necessarily, feel that you are doing the wrong thing if you decide only to image the partition/volume.
I would say that this is a judgement call more than anything. It is true that an image of the entire drive leaves no stone unuturned. But when you start talking about drive capacities approaching a terabyte and RAID arrays of almost any size, an image of the logical device may be all that is practical or necessary.
Part of the decision as to what to do (when there are practical considerations), involves understanding the likelihood that the device may have been repartitioned or that the user had the ability to write to areas outside the file system.
Accurately estimating where to focus your efforts can be essential if you are under time constraints with respect to production or if the cost is prohibitively expensive.
I mention this only because there are few lasting absolutes in computer forensics. Not that long ago, "pull the plug" was the "standard" practice for seizing computer evidence. It isn't that simple, anymore.
Similarly, imaging a couple of terabytes may simply not be the best use of the investigator's time (and the client's money), if a targeted search is possibly and likely to be productive.
By all means, image the entire device if you are under no constraints. But don't, necessarily, feel that you are doing the wrong thing if you decide only to image the partition/volume.
That's an excellent post; Sometimes a dose of the 'real world' needs to be applied to this field.
You could say the the 'rule' is do what you think is right, as long as your reasoning is sound, you're able to justify your decision, and your contemporaneous notes are thorough.