Announcement

Collapse
No announcement yet.

Creating a dd image as opposed to .img

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Creating a dd image as opposed to .img

    How do I create a bit stream image of a disk in .dd format?

    I use Prodiscover as well and and imaged the same disk with both softwares. The big problem being the hash values did not match.

  • #2
    Disabling Shadow volume solved the the hashing issue, so they match in value, but I'm still puzzled why OSForensic does not let me image to dd?

    Originally posted by renx215 View Post
    How do I create a bit stream image of a disk in .dd format?

    I use Prodiscover as well and and imaged the same disk with both softwares. The big problem being the hash values did not match.

    Comment


    • #3
      Was this a disk that was mounted in Windows and not write protected? Might there have been some write activity going on while the imaging was taking place?

      As far as I know .IMG and .DD are both just raw images of the disk. The format is the same.

      You should be able to rename the .IMG file to .DD if you want an disk image called xxxx.dd

      Comment


      • #4
        They were not write protected, but in that case why did clicking disable shadow volume provide the same md5 value as in prodiscover?

        Also, just now I used the registry write blocker, and it will only allow for a direct sector copy.
        However, write blocked, both pieces of software did provide the same hash value

        Originally posted by David (PassMark) View Post
        Was this a disk that was mounted in Windows and not write protected? Might there have been some write activity going on while the imaging was taking place?

        As far as I know .IMG and .DD are both just raw images of the disk. The format is the same.

        You should be able to rename the .IMG file to .DD if you want an disk image called xxxx.dd
        Last edited by renx215; 05-23-2012, 12:40 PM.

        Comment


        • #5
          Hard to be sure without examining the situation and steps take in fine detail.
          Could be that something was written to the disk between taking the images using the various methods.

          Using shadow copy is normally only required when taking an image of the live drive. e.g. your active boot drive. Using shadow copy means you can avoid hitting file locks from open files and it tracks all the writes to the disk to leave you with a non-corrupted copy of the disk even though the disk was being written to while the imaging was taking place.

          If you are taking an image of a secondary drive which as no activity on it, then shadow copy should not be required. The problem with Windows however is that there is a lot of stuff that happens in the background. Drives might be updated without you knowing it. (e.g. last access times on files).

          Comment

          Working...
          X