Red Hat Bugzilla – Bug 74938
Mistake in "Collecting an Evidential Image"
Last modified: 2014-08-04 18:14:03 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020830
Description of problem:
The exemplar dd command given should include the conv=sync tag as well as
conv=noerror. In the event an error is encountered on the input medium, the
"sync" tag prevents the output from skewing offsets. For instance, if a bad
sector occurs on the source medium, the user will lose data, potentially up to
the block size used by dd (in the exemplar, 1 KB). The sync tag will ensure
that the erratic block is padded with 0x00 bytes on the output, so that
disklabels and volume structures (be they superblocks, inode or FAT tables, and
data areas) are aligned properly for recovery efforts.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Read manual.
2. Attempt to dd a source medium with bad blocks, without using "sync" parameter
for "conv=" option.
Actual Results: The destination file is a smaller size, and data loss makes
certain file or recovery procedures impossible (or at least VERY difficult). If
destination is a device, bad things also happen. :-)
Expected Results: Although some data loss must occur in the case cited above,
unless that loss occurs in a primary disk structure like the disklabel, or a
unified structure like the NTFS MFT, most file operations should be possible
with minimal effects. Some files may be affected by the error but most should
be addressable by normal methods.
I have a specialized background in this area.
Thank you very much for your suggestion. I am investigating this issue and will
get back to you as soon as possible.
Thank you for your patience. It has been determined that your suggestion is
correct and the example command will be modified to add the 'conv=noerror,sync'
argument by the next version of the Security Guide.
Thanks again for your input. Feedback like yours will make the Security Guide a
better resource for all readers.