Shopping cart    |      
Home » Forums
Results 1 to 5 of 5

Thread: Creating a dd image as opposed to .img

  1. 05-23-2012, 12:07 AM #1
    renx215
    renx215 is offline Junior Member
    Join Date
    May 2012
    Posts
    4

    Default Creating a dd image as opposed to .img

    How do I create a bit stream image of a disk in .dd format?

    I use Prodiscover as well and and imaged the same disk with both softwares. The big problem being the hash values did not match.
    Reply With Quote Reply With Quote
  2. 05-23-2012, 12:35 AM #2
    renx215
    renx215 is offline Junior Member
    Join Date
    May 2012
    Posts
    4

    Default

    Disabling Shadow volume solved the the hashing issue, so they match in value, but I'm still puzzled why OSForensic does not let me image to dd?

    Quote Originally Posted by renx215 View Post
    How do I create a bit stream image of a disk in .dd format?

    I use Prodiscover as well and and imaged the same disk with both softwares. The big problem being the hash values did not match.
    Reply With Quote Reply With Quote
  3. 05-23-2012, 05:23 AM #3
    David (PassMark)'s Avatar
    David (PassMark)
    David (PassMark) is offline Administrator
    Join Date
    Jan 2003
    Location
    Sydney Australia
    Posts
    4,143

    Default

    Was this a disk that was mounted in Windows and not write protected? Might there have been some write activity going on while the imaging was taking place?

    As far as I know .IMG and .DD are both just raw images of the disk. The format is the same.

    You should be able to rename the .IMG file to .DD if you want an disk image called xxxx.dd
    Reply With Quote Reply With Quote
  4. 05-23-2012, 12:24 PM #4
    renx215
    renx215 is offline Junior Member
    Join Date
    May 2012
    Posts
    4

    Default

    They were not write protected, but in that case why did clicking disable shadow volume provide the same md5 value as in prodiscover?

    Also, just now I used the registry write blocker, and it will only allow for a direct sector copy.
    However, write blocked, both pieces of software did provide the same hash value

    Quote Originally Posted by David (PassMark) View Post
    Was this a disk that was mounted in Windows and not write protected? Might there have been some write activity going on while the imaging was taking place?

    As far as I know .IMG and .DD are both just raw images of the disk. The format is the same.

    You should be able to rename the .IMG file to .DD if you want an disk image called xxxx.dd
    Last edited by renx215; 05-23-2012 at 12:40 PM.
    Reply With Quote Reply With Quote
  5. 05-23-2012, 11:09 PM #5
    David (PassMark)'s Avatar
    David (PassMark)
    David (PassMark) is offline Administrator
    Join Date
    Jan 2003
    Location
    Sydney Australia
    Posts
    4,143

    Default

    Hard to be sure without examining the situation and steps take in fine detail.
    Could be that something was written to the disk between taking the images using the various methods.

    Using shadow copy is normally only required when taking an image of the live drive. e.g. your active boot drive. Using shadow copy means you can avoid hitting file locks from open files and it tracks all the writes to the disk to leave you with a non-corrupted copy of the disk even though the disk was being written to while the imaging was taking place.

    If you are taking an image of a secondary drive which as no activity on it, then shadow copy should not be required. The problem with Windows however is that there is a lot of stuff that happens in the background. Drives might be updated without you knowing it. (e.g. last access times on files).
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules