Okay, as the subject suggests I'm struggling with some simple forensic type stuff. First, a little background.

So its christmas, and for a little extra cash I'm working on an old school friend's external hard drive, the usual data recovery and transfer. The people at either his company or University tech desk couldn't help him, but that meant nothing to me so I jump in.

Very simple problem, the disk has just started to die, essentially, the disk's SMART stuff is screaming at me, files taking too long to read, etc., so I use

to make a dump. This is pretty standard stuff. The problem is that 130gig into about 200gig of data, the disk goes kersplunk. We're talking the full set of funny clicks, not showing up, funny smells etc.

So I do my best, tell the guy I could only recover 130gig, use
to put it on the new one.

Only thing is, not recognised properly. So have I either tried to use dd in a context where something better should have been used? Have I lost valuable information I needed in the last part of the filesystem? And if so, where can I find this? Is there a tool similar to diff that will handle hex files? I'm trying to work out similarities at the start and end of the file systems, but of course with binary files, you get the ever so helpful

Thanks a lot, any help appreciated

http://docs.freebsd.org/info/diff/diff.info.Binary.html
... diff on binary files, you can force diff to treat them as text, but the line-by-line comparison is usually meaningless.

http://ubuntuforums.org/archive/index.php/t-346238.html
... hex comparitors

But you may like this one better:
http://linuxappfinder.com/package/vbindiff

It sounds like you have an incomplete dd image there.
You really need to run forensics tools on the resulting file.
http://www.forensicswiki.org/wiki/Linux

Thats fantastic, off the top of your head, could you recommend any specific tool? I've only ever used foremost, but as I remember, it is limited to about 2 or 3 gig files. Would scalpel do the trick? Or is that limited too?

Cheers

From the head to the scaple.conf file:
Can you mount the image file you created rather than the disk to which you moved the image? (My thought is that the partition table in the image may not be compatible with the geometry of the HD to which you copied it.)

If you're using ext3 I highly recommend ext3grep. It's fairly new, far from perfect, but its quite impressive (if you're using ext3).

Also remember you don't need to actually dd the file out to a new drive, you can just mount the file itself as loopback.

I also recommend you make a backup of the actual dump to work with, nothing like having your image becoming corrupt while you're working on it.

As one of the above posters mentioned, I think the problem is that you are trying to replicate a failing drive. Not a good idea. First of all, I would have used dd_recover, and second, work with the dd file as a filesystem and do not try to write it onto a drive block for block. Pull out what is needed and write it somewhere, but I would not write every single block onto another drive. As they said, partition table, etc. is gonna be all borked. Just get your files out. x2 on the ext3grep if you know what you're doing somewhat.