Use dd with compression, please advise

Computer forensics training and education issues. If you are looking for topic suggestions for your project, thesis or dissertation please post here rather than the general discussion forum.
Go to page Previous 1 , 2

Re: Use dd with compression, please advise

Post Posted: Wed Oct 11, 2017 5:03 am

Hi,

Just removing the 'noerror' option works like a charm...I had no problem storing file, and no problem restoring..

This is the 'formula' I've used, drive where "z:" is a mapped network drive

dd -v if=\\.\Physicaldrive0 of=z:\myfile.img conv=comp --localwrt
dd -v if=z:\myfile.img.gz of=\\.\Physicaldrive0 conv=decomp --localwrt

This 'dd' is quicker than using a combination of dd + 7zip, specially for restore times

Best Regards

pmico
Newbie

    Re: Use dd with compression, please advise

    Post Posted: Wed Oct 11, 2017 9:00 am

    - pmico
    Hi,

    Just removing the 'noerror' option works like a charm...I had no problem storing file, and no problem restoring..


    Hmmm.Confused
    It may depend on situations, the \\.\PhysicalDrive0 normally is the boot disk and as such is in use, it would be needed to know your exact configuration and the exact OS involved to be sure (if you booted from a PE of some kind based on 7 or later then probably the \\.\PhysicalDrive0 is accessible just fine anyway as it contains no boot/system volumes and the PE is boored from CD/DVD or from a USB stick that becomes \\.\Physicaldrive1, and besides GPT disks may behave differently from MBR).

    Still, JFYI, what you tested is not a confirmation of *anything*.

    Mind you not that it didn't work (most probably it didSmile) only your testing procedure does not guarantee it worked.

    The procedure should be:
    1) make a dd image of the physicaldrive
    2) make some changes to the physicaldrive contents (or wipe it)
    3) restore the dd image taken in #1
    4) make a new dd image of the physicaldrive
    5) compare the images in #1 and #4

    - pmico

    dd -v if=\\.\Physicaldrive0 of=z:\myfile.img conv=comp --localwrt
    dd -v if=z:\myfile.img.gz of=\\.\Physicaldrive0 conv=decomp --localwrt


    In the first line the --localwrt should not be needed.


    jaclaz


    - In theory there is no difference between theory and practice, but in practice there is. - 

    jaclaz
    Senior Member
      Page 2 of 2
      Go to page Previous 1 , 2




      ± Forensic Focus Partners

      ± Your Account



      Site Members:

      New Today: 0 Overall: 33343
      New Yesterday: 3 Visitors: 232

      ± Follow Forensic Focus

      Forensic Focus Facebook Page Forensic Focus on Twitter Forensic Focus LinkedIn Group Forensic Focus YouTube Channel

      RSS feeds: News Forums Articles

      ± Latest Articles

      ± Latest Webinars


      Build a Mobile Site
      View Site in Mobile | Classic
      Share by: