Its been a little while since I have messed with any of this directly and I don't have my handy-dandy references in front of me, but I am going to try to go off memory (not always a good thing).

Ok, I know why I was thrown (yes age is part of it). Is there any reason why you aren't using of= in the dd command ? Is the second drive large enough to hold the image from the first drive ? For just imaging the drive, its ok to take the default block size (just: dd if=/xxxx of=yyyy (you may want to check out the options, depending on your objective, like skipping over errors)). The only time the cluster/block size becomes critical is if you are going to slice data out of the image at a later point, in which case you will need to know the cluster size information contained in the MBR of the image. Check out the sluethkit (http://www.sleuthkit.org/sleuthkit/desc.php), it has some handy tools for reading disk images, the relevant one being 'mmls', which will help analyze the image and determine the starting/stop blocks, block size, etc of the partition in the image you are interested in. You could for example, use this information to slice off say your C drive, mount the image, and then grab a file that you lost off of it, without having to restore the whole disk.


Another thing you might consider (and that was instructed at SANS), was to do the transfer over to another system (the reasoning being in the class was that you were imaging compromised systems, which isn't the case here), but still, if you have the systems laying around, this method can be useful. The easiest way being to setup a netcat listener on the server receiving the file (that redirects the data received to a file) and to send the file from the system you are backing up using netcat. It was pretty effective and fairly fast, depending on your setup with the disks (ie sharing same controller). Given the issues you say you were experiencing with slowness, I almost wonder whether you had an I/O or controller issue (ie, maybe both hdds being on same controller ? ). We were able to image 4G drives fairly quickly ( a few minutes), which you can extrapolate for yourself.



EDIT: Also wondering if your choice of a very large block size isn't creating some other kind of issue (like requesting bigger chunks than the hdd is able to read well, will have to look at that tomorrow when I am not tired and brain fried), I'd stick with the smaller blocksizes, if you use them at all.