using knoppix for forensic (serious question)

**ElGuap0** · 04-16-2003, 01:24 AM

Hello;

Any assistance will be appreciated.

I have knoppix running from a cd. I'd like to image a IDE hd. I have 2 hds in the system. the one I want to image and a blank one. I'm a bit familiar with the dd utility to image a drive but I need a little hand holding.

If the drive is say a 40 gig hd and i know that only about 6 gigs are used can I image the drive to a blank hd of 10 gig? If so what are the step - commands etc.

will the dd tool also image deleted files and slack space?

Once I've created an image using the dd tool on the target drive I want to perform some tests (i.e. like recover deleted files - I have a tool to do this and intent to use Win2K with this tool against the imaged drive.) What do I have to do to make or unimage the hd or can I just perform the dd image from one drive to another?

I'm getting a bit lost now. But if there is a good url with this information (step by step) I'd be most appreciative. Otherwise someone with a bit of patience would help.

Thanks

**rickenbacherus** · 04-16-2003, 01:33 AM

If you're using Knoppix 3.2 then there is a tool called 'partimage' already included. You can find it here: Kmenu>System>partimage

This might be useful for what you wish to accomplish. It can image a drive but will not make an exact mirror, it only copys actual data. Here is the partimage web site:
http://www.partimage.org/

**MattT** · 04-16-2003, 04:09 AM

This is a good page for learning about forensics in Unix:
http://www.crazytrain.com/papers.html
At the bottom of the page is an article about using dd.

**rickenbacherus** · 04-17-2003, 06:47 PM

Interesting forensics site:
http://www.atstake.com/research/tools/task/

**Peter** · 04-18-2003, 10:50 PM

I don't think partimage is a good idea for forensics because it understands ext2 and other file systems and I believe it only backs up the data and not the empty space.

You're probably better off with dd, and piping that across the network if you must (but to a local hard drive would be better).

Make sure you boot with the "noswap" option, otherwise, Knoppix could try to use a swap partition it finds on the hard drive that you are responsible for protecting.