Re: [sleuthkit-users] Extracting partions from dd image

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

I was just reviewing some of the list archives, and found this message
curious....

On Wednesday, March 31, 2004, Brian Carrier wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>=20
>=20
> On Mar 31, 2004, at 12:26 PM, Eagle Investigative Services, Inc. wrote:
>=20
>> Brian,
>>
>> The process of dd'ing out the partition worked for only one image=20
>> file, and
>> not for the three others.  All 4 image files were dd'd the same way.
>=20
> Which one worked?  The first one or one of the latter ones?
>=20
>> So what I did was try starting at 63 and 62, and tried ending at one=20
>> more
>> than the end point and none of these options worked.
>=20
> It could be that the file system is corrupt.  The first partition of=20
> almost every disk starts at sector 63, so that shouldn't be a problem. =
=20
> Make sure you are using the original disk image and not one of the=20
> partition images as input.  Also make sure that the 'bs=3D' value for=20
> 'dd' is set to 512.

Was wondering if you could explain why it is important to make the bs
value 512? I know this is the usual disk block size, but why would
that matter as long as DD appends what it writes out sequentially to
what was last written?

TIA,

Lisa.

>=20
> Send an 'xxd' output of the first sector of the partition image if=20
> nothing else works:
>=20
> dd if=3Dpart-img.dd count=3D1 | xxd
>=20
>=20
> brian
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (Darwin)
>=20
> iD8DBQFAaxhQOK1gLsdFTIsRAonLAJ9AmeJM39h41j70Tp/d3r+KEDZBXQCgiH1A
> 7B2rcrJZ4CFtlOkX9uD5uyI=3D
> =3DKkb7
> -----END PGP SIGNATURE-----
>=20
>=20
>=20
> -------------------------------------------------------
> This SF.Net email is sponsored by: IBM Linux Tutorials
> Free Linux tutorial presented by Daniel Robbins, President and CEO of
> GenToo technologies. Learn everything from fundamentals to system
> administration.http://ads.osdn.com/?ad_id=3D1470&alloc_id=3D3638&op=3Dcli=
ck
> _______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org
>