Hi Shane,
> I am trying to image a Western Digital 40gb hard-disk, to be added
> into the Autopsy tool as evidence on a case i have manufactured.
> The drive is connected via USB as an external drive and being imaged
> to the internal hard-disk of a ubuntu server.
> I have tried using:-
> dd if=/dev/sdg of=/home/sdg.dd bs=512
> dd if=/dev/sdg of=/home/sdg.dd bs=2048
> dcfldd if=/dev/sdg of=/home/sdg.dd
> md5sum /dev/sdg
> each command returns a different md5 hash.
dd doesn't return an MD5 hash. Do you mean you've done `md5sum
/home/sdg.dd' when dd finished? Odd they differ.
> I have repeated the md5sum command several times between running the
> other commands and the md5sum is consistent with this command, so i
> know the original disk is not being written to.
OK.
> the dd and dcfldd commands always return:
> "amount of files" +1 files in
> "same amount" +1 files out.
Can you be more precise? For a plain dd, it would be nice to know the
block size used and the two lines that say. The +1 is weird for a
bs=512.
123546+1 records in
123546+1 records out
> The hashes match between device and image file on each occurrence but
> none match the result returned by the md5sum command.
I'm a bit confused by here. A cut and paste of the commands done and
their output can often be easier than English. :-) You said at the top
/dev/sdg always md5sums to the same value, but now it seems you're
saying that /dev/sdg sometimes md5sums to the same as the just-made
image.
Can you create different image files? And then run cmp(1) on them to
see where they differ? Then hd(1) with its -n and -s option to inspect
an area starting there? That may give some idea of the nature of the
problem. cmp's -l option would let you know how long they differ for
too.
Cheers,
Ralph.
--
Next meeting: Bournemouth, Wed 2010-02-03 20:00
http://dorset.lug.org.uk/ http://www.linkedin.com/groups?gid=2645413
Chat: http://www.mibbit.com/?server=irc.blitzed.org&channel=%23dorset
List info: https://mailman.lug.org.uk/mailman/listinfo/dorset
