In the past I had only used dd sparingly. I knew that it has great potential, but haven't really used it a whole lot. This weekend I had a great reason to use it. The application was simple, create an image of a hard drive. Here's the command I used.
crsvcs-techlap01-3:Forensics hartzd$ dd if=/dev/disk1 of=/Users/hartzd/Desktop/Forensics/drive-20090913-1900.dmg conv=noerror,sync
1024000+0 records in
1024000+0 records out
524288000 bytes transferred in 92.648891 secs (5658870 bytes/sec)
The original plan was to image an old hard drive that was in my external laptop enclosure. Unfortunately, the external hard disk was the same size as my internal disk. So, time for plan B. I decided to use my wife's USB drive instead. Which is great, because, I had no idea what was on it. The funny thing was it turned out to be my old thumb drive that I lost a while back. Score!
Anyways, the result was nice. I was able to create a dmg image that can be mounted and examined. I never tried to recover any deleted files off of the drive, as the only application I've ever used were windows executables. (Suggestions?) I did find a site with some OSX tools and was able to take a look at the drive image through a hex editor. (http://www.macosxforensics.com). Although, I was only able to pick up bits and pieces of files on the disk.
To be continued with any analysis of this drive. . .
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment