#Prodiscover basic copy image file windows
Nearly every image acquisition tool out there, whether for Windows or Linux, is a variation on dd. When we use the noerror option, dd will not terminate when it encounters errors, so then our command would look like this:ĭd if=/dev/sda2 of=/dev/sdb2 bs=512 noerrorĪlthough most Linux distributions include dd, several variations have been developed and enhanced that make our forensic image acquisition process easier. There are many options for dd, but one of the of the most commonly used is noerror. This would create a bit-by-bit copy of sda2 to sdb2 using a byte size of 512 bytes. The basic dd syntax looks something like this: Its purpose was to make a bit-by-bit copy of any file, drive, or partition. Historically, nearly every Linux/UNIX distribution has included a command known as dd (disk-to-disk).
#Prodiscover basic copy image file software
Any software that we might use to transfer the image will alter that image and we can't have that and still present it in a court of law. What we need is a bit-by-bit copy of the hard drive or memory that does not alter a single bit of information. Unfortunately, such a copy won't work for us, the forensic investigator. These are simple copies of the operating system, applications, and data to a hard drive, or sometimes, to tape. If you have a background as a system or network admin, you have probably done system backups.
0 kommentar(er)
