LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Mirroring Hardrives with "dd" (forensics / security question) (https://www.linuxquestions.org/questions/linux-security-4/mirroring-hardrives-with-dd-forensics-security-question-381818/)

Mainframe 11-10-2005 11:33 AM
Mirroring Hardrives with "dd" (forensics / security question)
 
Quick and simple question regarding how to make a bit image copy of one hard drive for another for forensic analysys

Im farmiliar with the linux / unix utility "dd" which stands for DataDump.

If your drives are the same size and same geometry you can use this simple command to make a bit image (exact replica) of the original drive to use for backups, forensics etc.

dd if=/dev/hdc of=/dev/hdd

if - input file
of - output file

my quesiton is what if the drive you have is smaller then the source drive? ie
/dev/hdc is a 40Gig drive but /dev/hdd is a 30Gig drive??

can the drive still be copied and be expected to work just the same as the original? or will some of the data just not get copied because there is not enough physical space on the drive??

ive googled dd may times now and cant really find any "practical" dd howto's or
drive mirroring with linux howto's, dd documentation is scarce
but I will continue googling until i come up with something.

If anyone has any experience with dd I would love to pick your brain

cheers

p.s - dd is just as good as "Norton ghost" or all those other drive mirroring / copying programs out there and ofcourse, dd is FREE

slue

free_ouyo 11-10-2005 01:57 PM
Mirroring Hardrives with "dd" (forensics / security question)
 
Hello,

Don't understand, follow the question.

If you want to create a forensic image of the source HD, you need at least a destination HD with the same size.
If the destination HD is smaller, you will lose some of the datas on the source drive. Also, if you want to create a forensic image of the HD, you have to verify the copy using MD5 or best SHA1.

Some dd derivated are best designed for forensic imaging dd_rescue, sdd ....

If you only want a forensic copy or backup and don't have to run the OS on the HD, you can compress the destination of the dd into a file with gzip or bzip.

Let me know if you need more info.
--
free_ouyo

int0x80 11-11-2005 07:25 AM
It will copy as much as possible to the destination drive. My 180 gb hdd was approaching its last day, so I wanted to make a back up before the bell tolled. The closest size drive I had was a 160 gb hdd. The files (and filesystem) made it over alright, but that is probably because there was only ~ 80 gb worth of data, and it occurred in the first 160 gb of the disk. In conclusion, give it a shot. The source drive will still be intact either way. Also hard drives with 40 gb (or more) are now fairly inexpensive. You could probably motivate yourself to go purchase a new drive.


All times are GMT -5. The time now is 02:24 PM.