Hi All,
Just wondering how you guys would typically go about restoring a dd image to a new drive so that it appears as if it were the original drive (i.e. unallocated space is still present - a clone)? It looks like if I just do the "Export Files" feature in FTK Imager it will separate out into [root] [unallocated space] [orphan] folders which doesn't mimic the original.
Thanks in advance for the feedback!
Linux dd.
+1 for dd
I think it is a feature that is sorely missed by FTK Imager, I've reached for it a couple of times and fallen back on DD. EnCase can obviously restore E01's, I've never tried with a dd image.
Maybe Imager with that feature would be a bit too good for free, it would be nice tho, maybe a wiping feature too while they are making me happy !
Yeah, DD as it is a DD image would make the most sense.
Rob Lee Tweeted some exciting news from his preview of new Imager. Can mount images - that alone is great - can't wait to see tbe rest of the features.
Yeah, DD as it is a DD image would make the most sense.
Rob Lee Tweeted some exciting news from his preview of new Imager. Can mount images - that alone is great - can't wait to see tbe rest of the features.
That does sound very great
Under windows there are various ports of dd for windows, John Newbigin's
http//
and George Garner's FAU one
http//
The dsfok toolkit
http//
And a number of apps, a hopefully complete list is here
http//
jaclaz
Thanks for the info all! I've made a bunch of images in the past and analyzed them through FTK but never actually had the need to restore one until now. I guess I am not alone in thinking that this should be included in FTK Imager!
Looks like I will be going with dd command line moving forward. Thanks again, folks.
Hi Guys,
So I've been playing around with dd (the FAU version) and I'm a bit stumped as to how you go about extracting an image's contents using it. Here's what I did
dd if=g\image.001 of=H\ bs=512 –localwrt –verify –cryptsum md5
Both the G and H drives are locally attached via USB. When I run this it simply copies over image.001 to the H drive. What am I missing here?
Thanks much.
Hi Guys,
So I've been playing around with dd (the FAU version) and I'm a bit stumped as to how you go about extracting an image's contents using it. Here's what I did
dd if=g\image.001 of=H\ bs=512 –localwrt –verify –cryptsum md5
Both the G and H drives are locally attached via USB. When I run this it simply copies over image.001 to the H drive. What am I missing here?
Thanks much.
WHY?
I mean without reading a bit the examples on the linked to pages or help/docs?H\is NOT the same as\\.\H
You are anyway transferring the image to a partition, not to a disk.
What was the original image of?
jaclaz
Hi Jaclaz,
I did poke around a bit on the FAU link provided, but couldn't locate a complete "how to" document on there. I did review the contents of the dd help though. I noticed the "\\.\" prefix thrown in there on multiple sites but also noticed that there are slight variations between these windows releases - so I didn't know if it carried over to this FAU version. I'm willing to research and read up on things, but understand your frustration.
The original image is of an 80GB internal HDD which was a system drive w/ windows xp installed. So \\.\ is what tells dd to extract the image instead of copying?