Creating a disk image

Create initial image of drive:

 

Locate device to be imaged:

You can perform this via terminal using fdisk or via gui using gnome disk utility ‘palimpsest’

List the drives and partitions via terminal:

$ fdisk -l

 

( note to find out what device to mount use: sudo ls -alh /dev | grep hd)\

** (another way to see all drives:sudo lshw -C disk)

To find info on drive, disk type, identifier etc $ hdparm -I /dev/sd(a)

Parted will also show you all the partitions on a disk $ parted -l

 

Take note of the partition and file format if the drive mounted be sure to un mount you can use the -l option to force un mount on locked drive

 

$ umount -l /media/mountedsrc

 

Choice 1 – ddrescue

First pass run with -n to copy as many good blocks as possible (be sure to specify file system format ext3, hfsplus, ntfs, fat32, etc)

$ ddrescue -n /dev/SRC 0555-5555_ntfs.dd 0555-5555_ntfs.log

 

Second pass on hard drives (3 retries) be sure to specify log file otherwise it will overwrite original image

$ ddrescue -r3  /dev/SRC DST.dd DST.log

 

Second pass on floppy / dvd disks ( -d for direct mode)

$ ddrescue -d /dev/SRC DST.dd DST.log

 

Choice 2 – dd

If ddrescue is not available it’s possible to use dd but takes much longer and risks damaging the drive before all data has been copied as there is no fast option.  If you can’t obtain the image with ddrescue use safecopy below.

 

$ dd if=/dev/(source) of=/dev/(dest)

 

To obtain a progress of dd:

DD status report

 

to get status of dd we need to get the PID

 

$ top | grep dd

 

to issue the status we run the following command

 

$ sudo kill -USR1 (PID)

 

to automatically issue every 10 seconds use watch command

$ sudo watch -n 10 kill -USR1 (PID)

 

Choice 3 – safecopy

If neither applications can access the data then we can use a lower level tool called safecopy

Badly damaged drives we can use safecopy

$ safecopy --stage1 (then 2, then 3) /dev/source /media/target.dd

 

Verify image:

Now that you have an image let’s verify that the data is there and does not show blank information.  The simplest way is to open it in a hex editor.  ghex is simple or you can open the project in dff -g

 

$ ghex 0555-5555_ntfs.dd

 

The image could contain all 0’s if the drive was formatted and we are attempting to recover from a formatted or deleted drive.  If the drive contains all BaDbLoCk markers then the image and source media is too damaged and will require a clean room.  Note at this level clean room chances are very low and expensive, however there is no cost to us or the customer to send the drive in for an evaluation.

 

Copy files from image

If we are copying data off the image (not deleted or lost files) let’s try mounting the image directly if possible.  If the target is deleted partitions or files see below.

 

Make a folder to mount the image

$ mkdir /media/0555-5555

 

Mount the image (read only) to copy the data off.

$ mount -t ntfs -o loop,ro,umask=0777 0555-5555_ntfs.dd /media/0555-5555/

 

If the drive won’t mount you can run fsck or ntfsfsck to check the image and attempt to remount

$ fsck -y -f /media/0555-5555_ntfs.dd

 

Copy data over, can be interrupted and resumed (see man rsync for list of commands)

$ rsync -avuhP --log-file=/media/path/project#.log SRC DST

 

Find out how many files were transferred (run on source and target)

$ find targetdir -type f -follow | wc -l

Now that you have an image of the drive you can begin to mount it and start your data recovery process, if you would like to learn more about open source data recovery check out our training program where we build the recovery server, teach you all the tools and the scripts to make this an easy process.

Article by Bizanator

I'm a security researcher, pentester and general IT guru professionally since 2003. While IT and security has been a habit of mine, literally learning my ABCs on an Apple IIe I have worked on virtually every operating system in the past 25 years. Learning about memory manipulation starting in the early Blizzard days I found an affinity in security and exploit development. My career has allowed me to work in a variety of industries and have been a strong supporter of open source and virtualization. My goal here is to provide a forum of information where when you're brain dead hopefully myself or one of our members can work together in the spirit of open source and resolving those brain dead moments. You can request a consultation with me on Maven.

Leave a Reply