RE: [sleuthkit-users] dd of entire HD
Brought to you by:
carrier
Menu
▾
▴
RE: [sleuthkit-users] dd of entire HD
|
From: Altheide, C. B. <Alt...@nv...> - 2003-03-27 16:19:22
|
Even if there is only one partition on the drive, by dd'ing the entire physical drive, you're grabbing at least 63 sectors of extraneous (not-partition related) data at the beginning of the drive, and, depending on the OS/FS, some more at the end, after the logical partition ends. You'll need to follow the steps outlined in the previously posted Sleuthkit Informer to do anything useful with that image in Autopsy. Cory Altheide Computer Forensics Specialist NCI Information Systems, Inc. NNSA Cyber Forensics Center alt...@nv... > -----Original Message----- > From: Eagle Investigative Services [mailto:in...@ea...] > Sent: Thursday, March 27, 2003 7:31 AM > To: sle...@li... > Subject: RE: [sleuthkit-users] dd of entire HD > > > I'm a little confused here. > > In the docs it says Autopsy will read a dd image. > > So what you guys are saying is that if I take a dd image > of a drive, and have Autopsy look at that image, it can't > see the whole thing? > > Do I need to split the drive into images matching the > relative partitions first?? > > What if there's only one partition on the drive? > > Thanks, > > Niall. > |
