I have 20 gig hard drive that I am trying to image. I have the hard drive hooked up to a hard drive caddy and plugged into a linux box through a USB port. My first purpose is to copy the HD through DD. As soon as I plug the caddy into the linux box it mounts it and I can browse through it. Obviously I want to browse the copy, not the original. The location is in /media/disk (though through a browser window is shows /media/sda1). If I run fdisk -l I get
Disk /dev/sda 20.0 GB 20020395520 bytes
255 heads, 63 sectors/track 2434 cylinders
Units = cylinders of16065 * 512 = 8225280 bytes
Device Boot Start End Blocks ID System
/dev/sda1 * 1 2433 19543041 c W95 FAT32 (LBA)
My question is to image the drive is this the correct command
dd=if/dev/sda1 bs=512 of=/home/where_ever_I_want
Another question is, after I copy it I assume that then I have to mount it. Is there another way to (forencially sound) to copy the data since its already mounted through the USB. I mean is it okay to cd to the dir then cp * /home/where_ever_I_want.
Thank you for your help in advance.
Mark
If you want to copy the *disk* and not the partition you need
dd if=/dev/sda bs=512 of=/home/of/the/image.dd
You are correct for the partition …
You don't need the disk mounted to do this, in fact, I would consider it better not to … You may also want to consider what you are going to do with regard to checksums of images etc.
I'm not sure that I understand the second question …
Once you have mounted the image ( RO - of course -) ), the files in the mount space are the same as they were on the original media. If you copy them out, you may well change some of the details of timestamps/ownership/permissions etc. If you only want a copy of the file though - this will work fine …
Really depends what you are trying to achieve … Want to clarify for us ? 😉
Azrael,
Thanks for your help. To be honest I am just learning new things on a hard drive. Practicing I guess you would say.
Mark
-) No problem.
The other thing that occurred to me was, that rather than using cp to take a copy of the files, you would be better off using tar. So
cd /mnt/usb/directory/you/want/
tar -czpPvhw /some/safe/directory/evidience.tar .
c = create archive
z = zip it up with gzip when done ( just saves space -) )
p = preserve permissions
P = preserve path names - optional, of limited value, as you will have a different full path because of where you mounted it …
v = verbose
h = dereference - follow symlinks basically …
w = verify archive when done
When you restore
–atime-preserve = keeps the last access time the same
Have a look at the manual for 50 other options available 😉