Tuesday, September 14, 2010

Taking a disk image and creating a hash of the data with one read of the source disk

I have previously blogged about how to take a disk image over the network. The more common case is you want to make a forensic copy of a locally-connected disk. Usually this is a disk you connect using a write blocker, such as one from wiebetech, to prevent any changes being made to the source disk.

This command takes a forensic image and a hash of the original disk at the same time, requiring only one read of the source disk:
mkfifo /tmp/disk.dat; sha1sum /tmp/disk.dat & dd bs=256k if=/dev/sdc | tee /tmp/disk.dat > /mnt/destination/disk.dd

No comments: