inotarobot
Veteran Member
1 plus 1 DOES NOT equal 2.
well not using dc3dd in Linux to image two XP loaded 1TB hard drives (not raided) onto a single 2TB hard Drive
Let me explain, and I hope someone can tell me what I did wrong.
*actually think I came to realize why by time i wrote this full post*
Task I got asked to make an image backup of pair of hard drives in an old machine running only XP.
Some background:
around 4 years ago the original C: 500GB hd was replaced with new Seagate ST31000528AS 1TB drive.
and about 3 years ago the original D: 250GB hd was replaced with a new Western Digital WD10EVDS-63N581 1TB drive.
6 Days ago the old Win XP machine failed into a reboot loop after the owner had downloaded and installed a new fandangled program to read some old floppy disks.
Reading online various posts and what a pain this error could be to fix, it was decided to back up the HD before attempting the repair to registry and config files.
Using my schoolboy arithmetic I decided that it was easy and price effective to buy one 2TB Hd and image both 1TB to it.
So I go and get a brand new Seagate Barracuda 2TB ST2000M008 with a DOM 28th MARCH 2020. Nice 3.5" SATA drive
{{FIY As I am doing a low lever Cyber course I decided for practice to use dc3dd under Karli Linux Live USB boot in the Forensic mode.
I have a Pentium Dual-core E6300 2.8G set up in an older tower box with a inboard 685watt PSU connected to an external UPS for copying and or transferring data etc, that has SATA hot-swap cradle, IDE & SCSI plugin cradles, 1x 5.25" & 1x 3.5" Floppy drives.}}
so installed the new 2TB drive and the original C: 1TB drive in box and powered up USB Karli Linux in Forensic mode. Both drives recognized.
Then started copy process as follows
fdisk -l {to find drives} {1TB was sdb and 2TB was sda}
dc3dd if=/dev/sdb hof=dev/sda hash=sha512 verb=on
{I could have added to end of string} log=usb3_evidence.log {log=> Path of the log file of the process}
i choose hof verses of so I can watch the copy process real time. I gather I could use hof and log.
Now all went fine with image copy. Original HD had 3 bad sectors that got replaced with all ZERO's on the image.
By now its 10.02 and bed called. BTW the 1TB forensic imaging took from 16.44:29 till 22:02:46 thats a little over 5 hrs. you can see details in my last pic here
so next day I replaced the original 1TB C: drive for the 1TB D: and repeated the process
fdisk -l {to find drives} {1TB was sdb and 2TB was sda1 and sda2}
dc3dd if=/dev/sdb hof=dev/sda2 hash=sha512 verb=on
about 4.8hrs later the process completes with an error not enough space on target hd. It was 1am and I was that tired I just turned system off, forgetting to take pics. If I recall it was saying something like target disk was about 9000 sectors short in capacity.
NEXT time I am going to use the log command as well and get all on in a log file.
If it does not take as long I would delete all on the 2TB drive and repeat the process just to get some logged data to be able to analysis what happened.
If I had spare cash I also go and buy another 2TB Seagate Barracuda ST2000DM008 just to see if its totally empty when I started.
dc3dd should be doing lowish level sector copy as it starts writing sector 1 of the target disk anyways. However looking at 2TB drive with fdisk -l (per the photo below ) i note dc3dd had made the image start at sector 63 and this raised the error
Partition1 does not start on a physical sector boundary
mmm me wonders why?
As I was writing this post I thought I can get info on drives so ran Linux with all 3 drive installed and using fdisk cmd got the following:-
Seagate ST31000528AS 1TB drive as having - 1,000,203,804,160 bytes
Western Digital WD10EVDS-63N581 1TB drive 1,000,203,804,160 bytes
-------------------------------------> thus sum 2,000,407,680,320 bytes
Seagate Barracuda 2TB ST2000M008 2TBbrive 2,000,397,852,160 bytes
that leaves the 2TB drive short by 9,756,160 bytes capacity. So this appears to be why 1+1 is greater than 2
Having just mentioned this to Maria, she said David your such a dummy :stupid: at times, as many people have know this fact for 1000's of years, as often 1+1 = 3 or more
well not using dc3dd in Linux to image two XP loaded 1TB hard drives (not raided) onto a single 2TB hard Drive
Let me explain, and I hope someone can tell me what I did wrong.
*actually think I came to realize why by time i wrote this full post*
Task I got asked to make an image backup of pair of hard drives in an old machine running only XP.
Some background:
around 4 years ago the original C: 500GB hd was replaced with new Seagate ST31000528AS 1TB drive.
and about 3 years ago the original D: 250GB hd was replaced with a new Western Digital WD10EVDS-63N581 1TB drive.
6 Days ago the old Win XP machine failed into a reboot loop after the owner had downloaded and installed a new fandangled program to read some old floppy disks.
Reading online various posts and what a pain this error could be to fix, it was decided to back up the HD before attempting the repair to registry and config files.
Using my schoolboy arithmetic I decided that it was easy and price effective to buy one 2TB Hd and image both 1TB to it.
So I go and get a brand new Seagate Barracuda 2TB ST2000M008 with a DOM 28th MARCH 2020. Nice 3.5" SATA drive
{{FIY As I am doing a low lever Cyber course I decided for practice to use dc3dd under Karli Linux Live USB boot in the Forensic mode.
I have a Pentium Dual-core E6300 2.8G set up in an older tower box with a inboard 685watt PSU connected to an external UPS for copying and or transferring data etc, that has SATA hot-swap cradle, IDE & SCSI plugin cradles, 1x 5.25" & 1x 3.5" Floppy drives.}}
so installed the new 2TB drive and the original C: 1TB drive in box and powered up USB Karli Linux in Forensic mode. Both drives recognized.
Then started copy process as follows
fdisk -l {to find drives} {1TB was sdb and 2TB was sda}
dc3dd if=/dev/sdb hof=dev/sda hash=sha512 verb=on
{I could have added to end of string} log=usb3_evidence.log {log=> Path of the log file of the process}
i choose hof verses of so I can watch the copy process real time. I gather I could use hof and log.
Now all went fine with image copy. Original HD had 3 bad sectors that got replaced with all ZERO's on the image.
By now its 10.02 and bed called. BTW the 1TB forensic imaging took from 16.44:29 till 22:02:46 thats a little over 5 hrs. you can see details in my last pic here
so next day I replaced the original 1TB C: drive for the 1TB D: and repeated the process
fdisk -l {to find drives} {1TB was sdb and 2TB was sda1 and sda2}
dc3dd if=/dev/sdb hof=dev/sda2 hash=sha512 verb=on
about 4.8hrs later the process completes with an error not enough space on target hd. It was 1am and I was that tired I just turned system off, forgetting to take pics. If I recall it was saying something like target disk was about 9000 sectors short in capacity.
NEXT time I am going to use the log command as well and get all on in a log file.
If it does not take as long I would delete all on the 2TB drive and repeat the process just to get some logged data to be able to analysis what happened.
If I had spare cash I also go and buy another 2TB Seagate Barracuda ST2000DM008 just to see if its totally empty when I started.
dc3dd should be doing lowish level sector copy as it starts writing sector 1 of the target disk anyways. However looking at 2TB drive with fdisk -l (per the photo below ) i note dc3dd had made the image start at sector 63 and this raised the error
Partition1 does not start on a physical sector boundary
mmm me wonders why?
As I was writing this post I thought I can get info on drives so ran Linux with all 3 drive installed and using fdisk cmd got the following:-
Seagate ST31000528AS 1TB drive as having - 1,000,203,804,160 bytes
Western Digital WD10EVDS-63N581 1TB drive 1,000,203,804,160 bytes
-------------------------------------> thus sum 2,000,407,680,320 bytes
Seagate Barracuda 2TB ST2000M008 2TBbrive 2,000,397,852,160 bytes
that leaves the 2TB drive short by 9,756,160 bytes capacity. So this appears to be why 1+1 is greater than 2
Having just mentioned this to Maria, she said David your such a dummy :stupid: at times, as many people have know this fact for 1000's of years, as often 1+1 = 3 or more
Last edited:
