Subject: Re: Problem using dd to clone a hard disk with bad sectors. - msg#00029

On Thu, 16 Feb 2006 18:31:42 +0800
Willard Van Dyne <wvandyne@xxxxxxxxxx> wrote:

> I'm trying to properly clone a 4.3GB (it's old, I know) hard disk
> which unfortunately has a lot of bad sectors.
[...]
> dd if=/dev/hdb of=/mnt/hda7/image.dd conv=noerror,sync
>
> My problem is that the md5 hash of the image file is different from
> that of the original
[...]
> Can anyone please enlighten me as to what I'm doing wrong?

Willard,

As many others have already said, you are not doing anything wrong using
dd. But have you tried using dcfldd?

dcfldd has an option to hash the output stream instead of the input
stream, so it will hash the datastream from the drive after the
conv=noerror,sync command has padded the bad sector reads. Then the hash
of the image file should match the acquisition hash dcfldd can record for
you.

A command might look like:

./dcfldd if=/dev/hdb conv=noerror,sync hashwindow=1M hash=md5
hashconv=after hashlog=/mnt/hda7/image.dd.hash.log split=640M
splitformat=aa of=/mnt/hda7/image.dd of=/mnt/hdd1/image.dd

And the individual parts of the command are

./dcfldd - the application
if=/dev/hdb - the input device to read from
conv=noerror,sync - continue through read errors and pad the output to
match the input block size
hashwindow=1M - calculate a hash of every 1M and write the hashes to a log
hash=md5 - use the MD5 algorithm
hashconv=after - hash after the conv=noerror,sync operation has
compensated for bad sector reads
hashlog=/mnt/hda7/image.dd.hash.log - the log file for hashes - will
contain a hash of each 1M of the image as well as the entire image
split=640M - optional - to store chunks on CD ROM
splitformat=aa - if you split the image into chunks, the pieces are named
image.dd.aa, image.dd.ab, image.dd.ac etc
of=/mnt/hda7/image.dd. - first copy of the image file
of=/mnt/hdd1/image.dd. - second copy of the image file - to another device
in case one of your drives dies :-(

We always make two copies to different drives as a safety net since we
rarely keep the original drive as evidence.

James
======================================================
James O. Holley Cell: 914.320.4874
Ernst & Young Office: 212.773.2902
Fraud Investigation Lab: 212.773.7784
& Dispute Services Fax: 212.773.4280
5 Times Square Mobile Fax: 866.436.2643
New York, New York 10036 Pager: 888.620.5275
Pager Email: 6205275 at skytel dot com
======================================================


Any U.S. tax advice contained in the body of this e-mail was not intended or
written to be used, and cannot be used, by the recipient for the purpose of
avoiding penalties that may be imposed under the Internal Revenue Code or
applicable state or local tax law provisions.
________________________________________________________________________
The information contained in this message may be privileged and confidential
and protected from disclosure. If the reader of this message is not the
intended recipient, or an employee or agent responsible for delivering this
message to the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication is strictly
prohibited. If you have received this communication in error, please notify us
immediately by replying to the message and deleting it from your computer.

Notice required by law: This e-mail may constitute an advertisement or
solicitation under U.S. law, if its primary purpose is to advertise or promote
a commercial product or service. You may choose not to receive advertising
and promotional messages from Ernst & Young LLP (except for Ernst & Young
Online and the ey.com website, which track e-mail preferences through a
separate process) at this e-mail address by forwarding this message to
no-more-mail@xxxxxxx If you do so, the sender of this message will be notified
promptly. Our principal postal address is 5 Times Square, New York, NY 10036.
Thank you. Ernst & Young LLP