On Tuesday 14 Feb 2006 19:14, Mike McCarty wrote: > Les Mikesell wrote: > > On Tue, 2006-02-14 at 12:36, Mikkel L. Ellertson wrote: > >>>I need to make an identical bit-for-bit transfer of a hard disk from a > >>>*REALLY* slow box to a faster box. > >>> > >>>1- There are no security issues --plugging one box directly into the > >>> other. 2- I need to prove/document the copy is identical to the > >>> original. 3- I want to do it as efficiently as possible. > >>>4- I "own" both boxes. > >>>--- > >>>Has anyone used dcfldd ?? Is this a better tool than dd ?? > >>>http://dcfldd.sourceforge.net/ > >>>--- > >>>Any time-tested commands/flags/scripts would be greatly appreciated. > >>> > >>>Best wishes to everyone, > >>> > >>>Andrew > >> > >>If you are going from one box to another, then dd type tools are > >>not the right tool for the job. You may want to take a look at > >>Ghost 4 Linux ( http://freshmeat.net/projects/g4l/ ) This also > >>has the advantage that the drives are not mounted during the > >>copy, so you do not have to worry about something changing while > >>the drive is being copied. You do NOT want to do a bit-for-bit > >>copy of a mounted drive! > > > > You can use dd even across machines if you can boot a > > run-from-CD distro that has ssh like knoppix. Set a root > > password and start the ssh server on the remote box > > and use a command like: > > dd if=/dev/hda |ssh remote_ip dd of=/dev/hda > > However, to use dd the disks must be the same size. If this > > Actually, they need to be identical drives. Just being > the same size is not enough. > > [snip] As someone who works for the legal profession a lot, I should butt in and say that IF there is a need to prove that the source/destination disks are identical, then the proceedure you follow needs to be documented at every stage, with appropriate safeguards and proofs. A second person present during the process is essential, they should document the process individually without sight of your notes,, and the original disk should never be used in any situation where any data may be written to it i.e. it must never be mounted. Photographic evidence of how you accomplished this task often goes a long way to convincing the unititiated, althout those who know what they are talking about won't be so easily fooled, and you must have the answers to how you protected the integrity of the original disk easily at hand. If you google for 'forensic analysis computers', there are some interesting hits, once you get past the adverts. The US DoJ issue clear evidential rules http://www.computerforensics.com/fed-guide.htm#sect-viii which if followed would ensure that civil/employment/etc/etc cases would be fairly cut and dried. Tony
