NOTE that there are two logfiles on this page, and that you would not necessarily have to use all of the --switches that I did! For many, taking the extra time to 'verify' by md5sum a whole partition or drive would be too time consuming... But for Forensics techs, it is a given that they must do this. --------------------------------------------------------------------------------------------------------------------------------- Forensic Acquisition Utilities, 3, 16, 2, 1030 dd, 1, 0, 0, 1030 Copyright (C) 2002 George M. Garner Jr. Command Line: dd if=\\.\R: of=K:\618mbw98.dd conv=noerror --md5sum --md5out=618mbw98.md5 --log=618mbw98.txt --verifymd5 --lockin Based on original version developed by Paul Rubin, David MacKenzie, and Stuart Kemp Microsoft Windows: Version 5.0 (Build 2195.Professional Service Pack 3) 22/04/2003 19:19:00 (UTC) 22/04/2003 12:19:00 (local time) Current User: COMPUTER\User Statistics for logical volume \\.\R: 158711808 bytes available 158711808 bytes free 648478720 bytes total Volume Name: \\.\R: Volume Label: WINDOWS 98 Drive Type: fixed Volume Serial Number: 4C1A-1ADA Maximum Component Length: 255 Volume Characteristics: File system preserves case File system supports Unicode file names File System: FAT32 Clustered: No Volume Extents: Disk Number: 2 Starting Offset: 0x0000000000007e00 Extent Length: 0000000649764864 input file locked Copying \\.\R: to K:\618mbw98.dd... \10b0089181f5442d4a42adaa5b6260ab [\\\\.\\R:] *K:\\618mbw98.dd Verifying output file... \10b0089181f5442d4a42adaa5b6260ab [\\\\.\\R:] *K:\\618mbw98.dd The checksums do match. Output K:\618mbw98.dd 649764864/649764864 bytes (compressed/uncompressed) 158634+0 records in 158634+0 records out --------------------------------------------------------------------------------------------------------------------------------- The following is NOT part of the original logfile: ========================================================================== NOTE: Since I performed a 'partition copy' rather than copying a whole hard disk, none of the technical data about the disk itself was included in this logfile. Also: The copying would have gone faster if I hadn't included the options to have 'dd' create the md5sum of the whole partition _and_ verify it after the process had been completed! If you do not set the size of the records yourself (using " bs= "), it appears that this 'dd' will default to the "cluster size" of the partition: In this case, 8 sectors per cluster, or 4096 bytes.... Since 158,634 records x 4096 bytes/record = 649,764,864 total bytes. ========================================================================== And here is the second example (an NTFS partition this time): --------------------------------------------------------------------------------------------------------------------------------- Forensic Acquisition Utilities, 3, 16, 2, 1030 dd, 1, 0, 0, 1030 Copyright (C) 2002 George M. Garner Jr. Command Line: dd if=\\.\E: of=O:\2gb-ntsf.dd conv=noerror --md5sum --md5out=2gb-ntsf.md5 --log=2gb-ntsf.txt --verifymd5 --lockin Based on original version developed by Paul Rubin, David MacKenzie, and Stuart Kemp Microsoft Windows: Version 5.0 (Build 2195.Professional Service Pack 3) 26/04/2003 20:36:06 (UTC) 26/04/2003 13:36:06 (local time) Current User: COMPUTER\Administrator Statistics for logical volume \\.\E: 845602816 bytes available 845602816 bytes free 1998708736 bytes total Volume Name: \\.\E: Volume Label: Drive Type: fixed Volume Serial Number: 9215-158B Maximum Component Length: 255 Volume Characteristics: File system preserves case File system supports case sensitive file names File system supports Unicode file names File system preserves and supports persistent ACL's File system supports file level compression File system supports named streams File system supports encryption File system supports object identifiers File system supports reparse points File system supports sparse files File system supports quotas File System: NTFS Clustered: No Volume Extents: Disk Number: 1 Starting Offset: 0x0000000000007e00 Extent Length: 0000001998710784 input file locked Copying \\.\E: to O:\2gb-ntsf.dd... \af7684c41f49b27e6130be2cb50eab78 [\\\\.\\E:] *O:\\2gb-ntsf.dd Verifying output file... \af7684c41f49b27e6130be2cb50eab78 [\\\\.\\E:] *O:\\2gb-ntsf.dd The checksums do match. Output O:\2gb-ntsf.dd 1998708736/1998708736 bytes (compressed/uncompressed) 487966+0 records in 487966+0 records out --------------------------------------------------------------------------------------------------------------------------------- The following is NOT part of the original logfile: ========================================================================== NOTE: Since I performed a 'partition copy' rather than copying a whole hard disk, none of the technical data about the disk itself was included in this logfile. Also: The copying would have gone faster if I hadn't included the options to have 'dd' create the md5sum of the whole partition _and_ verify it after the process had been completed! If you do not set the size of the records yourself (using " bs= "), it appears that this 'dd' will default to the "cluster size" of the partition: In this case, 8 sectors per cluster, or 4096 bytes.... Since 487,966 records x 4096 bytes/record = 1,998,708,736 total bytes. ========================================================================== EOF. The Starman. 27 April 2003.