This command takes a forensic image and a hash of the original disk at the same time, requiring only one read of the source disk:
mkfifo /tmp/disk.dat; sha1sum /tmp/disk.dat & dd bs=256k if=/dev/sdc | tee /tmp/disk.dat > /mnt/destination/disk.dd
Tuesday, September 14, 2010
Taking a disk image and creating a hash of the data with one read of the source disk
I have previously blogged about how to take a disk image over the network. The more common case is you want to make a forensic copy of a locally-connected disk. Usually this is a disk you connect using a write blocker, such as one from wiebetech, to prevent any changes being made to the source disk.
This command takes a forensic image and a hash of the original disk at the same time, requiring only one read of the source disk:
This command takes a forensic image and a hash of the original disk at the same time, requiring only one read of the source disk:
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment