Hi,
I know there are plenty of you out there with an interest in forensics and a small budget so I thought I'd share a tip with you. When you are creating an image of a disk using dd it's often useful to split the dump into chunks. If you are dumping to a FAT32 disk for example you cannot create file greater than 4GB in size.

The Unix command split takes an input source, splits it onto chunks of a specified size. You can use this in conjunction with dd to automatically split and name the output files on the fly. The following command will dump the contents of device /dev/sdb to standard out where split will read it, chop it into 2GB chunks and name each file case0001_disk001_image_<suffix>.


The option '-d' tell split to add a numeric suffix instead of the default alphabetic one and option '-a 3' tell split to use a 3 character, suffix e.g. 001, 002, 003 etc.

Hope you find this useful and I hope it serves as a reminder that learning the basic Unix tools is a skill worth having.

Jimbob

Split is definitely a great command to know when you are in a bind.  I had to use it on a Mac Server a while back.  There are a few DD based tools, like DCFLDD that have this function built in.   More importantly, DCFLDD and others will hash on the fly, which is one of the most important aspects in forensics.