I'm working on a PC using Koppix Linux Live CD trying to image a 20GB firewire(/dev/sda)drive to a master drive(/dev/hda1) using dd. I first tried to copy to the FAT32 target drive, but ran into the 4GB file limit issue. I then reformatted to NTFS(knowing that there are issues with writing to NTFS from Linux) and I couldn't get permissions - kept getting that dd was opening, but got a "permission denied". I tried all of the security options(sudo, chmod 666, etc.) nothing worked. Am I going to have to make 5-4GB images on a FAT32? Is that really the best option here if I'm going to use dd? Has anyone successfully created a large(>4GB) image file on a FAT32 or gotten NTFS to work?
Any help would be appreciated…
A
I have to admit that I have not had much success with plain old dd and doing a large image, especially greater than 4GB, for the very reasons you describe. I have found it is a bit more reliable to spread the image out into 2GB chunks and send them to a FAT32 drive….The few times I did get it to go to an NTFS drive, it took forever as well. Now, I have had some better success with dflcdd, the DoD version of dd, that is a bit better suited for forensics. I don't know if it's included on the Knoppix CD, but it is definitely on the Helix (also based on Knoppix, but built specifically for forensics work) bootable CD. Get it at
Also, I have found it's a bit better to send it to an ext2 or ext3 formatted drive, and then do your analysis in Sleuthkit, or even FTK (if you prefer the Windows way) FTK will read an image from an ext2/3 formatted drive.
Bobby
Thanks Bobby. That's what I ended up doing. The image is on an ext2, 80GB formatted hard drive. I want to use FTK on a PC to do the analysis, but I'm not sure how to access the image on the ext2 drive as it's not showing up as a windows-resognzed drive.
Any ideas?
Thanks ahead.
A
Simplest way while staying in windows, get Runtime Software's Captain Nemo. Its $90, will allow you to access ext2, ext3, novell partitions and it comes in handy when you can't share a drive off of a linux box.
Matt
Thanks. Actually I found a free one called Ext2IFS_1_10b.exe that does EXT2 - not sure about EXT3. I'm sure a google search will reveal the site.
A