RE: raw disk access

To: "viv" <viv@veeev.com>, "DebianSecurity" <debian-security@lists.debian.org>
Subject: RE: raw disk access
From: "Colin Ellis" <colin@solution-city.com>
Date: Wed, 8 Jan 2003 14:39:37 -0600
Message-id: <[🔎] LCEAKHPECJBPDEPHLMFGMEGDCAAA.colin@solution-city.com>
In-reply-to: <[🔎] 1042031969.6378.63.camel@cartman.veeev.net>

This may have something to do with the block size.  I'm not sure of the
default options for dd, but it does allow you to specify the size of blocks
you are copying.

Another thing to check is the options for padding blocks for newline
terminated records.  You might also need the 'noerror' option.

Good Luck :)

Colin
http://www.solution-city.com

-----Original Message-----
From: viv [mailto:viv@veeev.com]
Sent: 08 January 2003 07:19
To: DebianSecurity
Cc: Colin Ellis
Subject: RE: raw disk access


	Thanks to all for your quick replies.

	i thought originally that dd would work and tried to 'image'
	a couple of CDs, but they came out to different sizes although
	both were 650MB CDs.  The disk sizes differed by about 3 MB,
	so i assumed dd was missing something.  Imaging 2 floppies
	yielded different sized images as well.

	From the replies thus far, it seems that dd is exactly what i
	am looking for.  However, i am still at a loss to explain the
	differences in image sizes.  Does dd copy every bit from a
	device from start to finish, or does it skip / miss something
	somewhere?

	Thanks again.


On Wed, 2003-01-08 at 11:29, Colin Ellis wrote:
> The best that can be achieved is via 'dd'.
>
> however it is actually impossible to get _real_ raw disk access due to the
> disk IO controllers.  As far as I know, all disk IO controllers have
> automatic data correction etc and so do hard disks.  An accurate copy of
the
> surface of the disk cannot be gained by this method.
>
> Has anyone any ideas on whether it's possible to bypass the automatic
checks
> performed by the IO controllers?
>
> Colin
> Solution City Ltd
> http://www.solution-city.com
>
>
>
> -----Original Message-----
> From: viv [mailto:viv@veeev.com]
> Sent: 07 January 2003 21:08
> To: DebianSecurity
> Subject: raw disk access
>
>
> 	Hi.
>
> 	As a Debian user, i am posting to this list first in the hopes
> 	that what i am looking for can be found as a Debian package.
>
> 	i am looking for forensics tools that can be used in computer
> 	crime investigations, and am particularly interesting in a tool
> 	that provides raw drive (hard, floppy, CD, DVD, etc.) access in
> 	order to create complete and accurate drive images.
>
> 	If such a tool does not exist within Debian, is anyone aware of
> 	any application (GPLed, please) that does?  Failing that, i am
> 	willing to write my own tool, if necessary, and would appreciate
> 	any pointers to good reference material (raw drive access and
> 	how to work with the images created).
>
> 	If it helps, i am running with the latest 'unstable' packages.
>
> 	Many thanks.
>
> --
> viv <viv@veeev.com>
--
viv <viv@veeev.com>

Reply to:

References:
- RE: raw disk access
  - From: viv <viv@veeev.com>

Prev by Date: RE: TCP port 6352?
Next by Date: Can this be considered a DoS-attack?
Previous by thread: RE: raw disk access
Next by thread: Re: raw disk access
Index(es):
- Date
- Thread