Farmerdude,

Here are the results of the commands you suggested:

blkid:
/dev/sda1: UUID="D08405CF8405B94C" TYPE="ntfs"
/dev/sda2: UUID="423B-2BDF" TYPE="vfat"

fdisk:

Disk /dev/sda: 40.0 GB, 40007761920 bytes
255 heads, 63 sectors/track, 4864 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x4b36bdea

Device Boot Start End Blocks Id System
/dev/sda1 * 463 4863 35351032+ 7 HPFS/NTFS
/dev/sda2 1 462 3710983+ b W95 FAT32

Partition table entries are not in disk order

While I don't have a usb or firewire drive I can use to clone to directly, I do have an external harddrive enclosure for a laptop drive, so I will be pulling the drive from the laptop and connecting it to my forensics workstation using the enclosure.

I will try cloning the entire drive instead of just the ntfs partition also.

Thanks for the tips.

-----Original Message-----
From: farmerdude [mailto:subscribe (at) crazytrain (dot) com [email concealed]]
Sent: Friday, August 08, 2008 6:40 PM
To: DON.RAIKES (at) ORACLE (dot) COM [email concealed]
Cc: focus-linux
Subject: Re: problems cloning a hard drive with dcfldd

Don,

Can you provide the output of these commands issued from the laptop
system;

fdisk -l

blkid /dev/sda*

Instead of blowing across the network, are you able to attach a firewire
or USB hard drive to the laptop and blow your acquisition file via one
of those ports locally?

Also, based on your dcfldd command, you know that you are acquiring only
the first partition on the physical device, /dev/sda, yes?

If you want the physical device, remove the number from your command.
If you want only the partition continue on with your command then!

Cheers!

farmerdude

http://www.forensicbootcd.com

http://www.onlineforensictraining.com

[ reply ]