Disk Image of my Windows Partition

[EndianX]

Hey everybody.

I am taking a class this semester on computer forensics. I am playing with a tool called SleuthKit (http://www.sleuthkit.org/). The data I need to analyse is my windows xp partition on the same computer.

SleuthKit says to use the program "dd" to make an image of things. Is there anyway for me to make an image of my windows xp partion?

Here is an example of what they suggest:

Code:

dd if=/dev/hdd of=/mnt/disk.dd bs=4k

Basically, is there something under /dev that would point to my windows partition is mostly what I need to know.

(p.s., fairly new to linux)

Thanks in advance,

EndianX

[pavlo_7]

If all you want is to look at what is on your windows xp partition, then mount it, change directory to where you mounted it, and see what's there:

Code:

mkdir /mnt/windows
mount -t ntfs /dev/hda1 /mnt/windows
cd /mnt/windows
ls

replace hda1 with the number of partition on which xp is installed.

P.S. Do not post your homeworks here.

[EndianX]

If all you want is to look at what is on your windows xp partition, then mount it, change directory to where you mounted it, and see what's there:

Code:

mkdir /mnt/windows
mount -t ntfs /dev/hda1 /mnt/windows
cd /mnt/windows
ls

replace hda1 with the number of partition on which xp is installed.

P.S. Do not post your homeworks here.

Thank you so much for the help! I'll give this a try.

And its for a project. Going to see how NTFS' EFS, ADS File Hiding, and Cipher.exe's file wiping abilities stand up to forensic software.

I suspect I'll fairly easily be able to view things hidden in alternate data streams. Files wiped and overwritten with cipher.exe may be a little more difficult. Still haven't figured out a way to break EFS.

Its not a homework question like "how do you mount a windows partition in linux?"

Anyway, thanks again!

[pavlo_7]

You will need enough space on your Linux partition to copy an image of your windows there.