2

I have a 100GB NTFS-formatted drive, and a 250GB external USb disk.

I am thinking of using a live disk, as is described here, except that I will skip the gzip part.

http://www.hanckmann.net/?q=node/19

I have enough space. I just want to back up EVERYTHING (including recoverable deleted files) for forensic purposes. That is why gzip is more of a nuisance in this case (I think).

Anyhow, if I use this command:

sudo dd if=/dev/hd_ > /mnt/hd__/image_name.dd

Will this save EVERYTHING, or just the healthy and existing directory structure?

Also, what is the easiest way to mount that image later on: A) Mac OS Leopard B) Windows XP / Vista / 7?

Free versions of software are preferred, but I will consider shelling out some $ if the product is amazing.

Thank you and Happy New Year!

Graham Wager
  • 12,007
Fantomas
  • 389

5 Answers5

2

I would recommend the easiest thing you can do is simply to use Gparted, and do copy from the original partition and paste it to the USB drive.

When you click apply, it should do a 1:1 copy and work fine!

However, to your original question, I am not an expert using dd, but I would have thought you need...

sudo dd if=/dev/hd_ of=/mnt/hd__/image_name.dd

William Hilsum
  • 117,648
2

dd is the best way to do this. While the method you posted will technically work (which not output file is specified, dd sends the output to shell). It would be better, as Wil says, to use sudo dd if=/dev/hdX of=/dev/hdY Not that the disks could also show up as /dev/sdX. If you're not sure which disk is which, type sudo fdisk /dev/hdX, and press p to print the partition table for that device.

dd does a bit-by-bit copy, it produces a forensically sound image, so any recoverable files will be there.

One of the best tools to mount the image on Windows that I've found is WinHex, it lets you browse as a normal disk, and has some data recovery features. However, GetDataBack (NTFS) has much better recovery, and it can also access image files.

Dentrasi
  • 11,325
1

if you want to preserve the drive content for further forensic examination, i recommend EASEUS Disk Copy, a potent freeware providing sector-by-sector disk/partition clone regardless of your operating system.

and speaking of forensics, there's nothing better than WinHex, a 1 year personal license is pretty reasonable too (€39.41).

since it is a NTFS partition, there's no reason why you shouldn't be able to mount it in Windows, however, i would not recommend it, because Windows my write information to the drive which may make forensic examination even harder, use WinHex from a BartPE CD/USB stick instead to avoid any writing.

0

I'm a bit surprised that nobody mentioned CloneZilla -- what doesn't it do that the OP needs?

Chris_K
  • 8,851
0

I'd note there's forensics specific livecds such as deft, and forensic DD varients such as DFCLDD. Don't forget to do checksums too. As far as methods go, there's a good book by mandia and procise i believe that covers most of the process.

os x should mount images with the loop command. Windows needs additional software- filedisk comes to mind, but there's probably easier alternatives

Journeyman Geek
  • 133,878