Mirroring Hardrives with "dd" (forensics / security question)
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Mirroring Hardrives with "dd" (forensics / security question)
Quick and simple question regarding how to make a bit image copy of one hard drive for another for forensic analysys
Im farmiliar with the linux / unix utility "dd" which stands for DataDump.
If your drives are the same size and same geometry you can use this simple command to make a bit image (exact replica) of the original drive to use for backups, forensics etc.
dd if=/dev/hdc of=/dev/hdd
if - input file
of - output file
my quesiton is what if the drive you have is smaller then the source drive? ie
/dev/hdc is a 40Gig drive but /dev/hdd is a 30Gig drive??
can the drive still be copied and be expected to work just the same as the original? or will some of the data just not get copied because there is not enough physical space on the drive??
ive googled dd may times now and cant really find any "practical" dd howto's or
drive mirroring with linux howto's, dd documentation is scarce
but I will continue googling until i come up with something.
If anyone has any experience with dd I would love to pick your brain
cheers
p.s - dd is just as good as "Norton ghost" or all those other drive mirroring / copying programs out there and ofcourse, dd is FREE
Mirroring Hardrives with "dd" (forensics / security question)
Hello,
Don't understand, follow the question.
If you want to create a forensic image of the source HD, you need at least a destination HD with the same size.
If the destination HD is smaller, you will lose some of the datas on the source drive. Also, if you want to create a forensic image of the HD, you have to verify the copy using MD5 or best SHA1.
Some dd derivated are best designed for forensic imaging dd_rescue, sdd ....
If you only want a forensic copy or backup and don't have to run the OS on the HD, you can compress the destination of the dd into a file with gzip or bzip.
It will copy as much as possible to the destination drive. My 180 gb hdd was approaching its last day, so I wanted to make a back up before the bell tolled. The closest size drive I had was a 160 gb hdd. The files (and filesystem) made it over alright, but that is probably because there was only ~ 80 gb worth of data, and it occurred in the first 160 gb of the disk. In conclusion, give it a shot. The source drive will still be intact either way. Also hard drives with 40 gb (or more) are now fairly inexpensive. You could probably motivate yourself to go purchase a new drive.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
