Software for imagin...
 
Notifications
Clear all

Software for imaging a drive with bad sectors

19 Posts
13 Users
0 Likes
2,119 Views
(@deerhunter)
Posts: 15
Active Member
Topic starter
 

Can anybody in the data recovery / forensics field recommend good commercial software that images a damaged drive by skipping over bad sectors? I am looking for one that is similar to dd_rescue but runs on a Windows platform.

 
Posted : 02/01/2010 12:34 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

The approach I have developed is Incremental Imaging

http//www.cnwrecovery.com/html/damaged_disks.html

The main point is that one can build up a 'DD' image by imaging known good areas of the disk first and skipping failed areas, or areas not required. With many disks, it is common for the final 80% of the disk to read without significant errors.

Skipped, and unread areas of the disk are automatically padded in the image file.

Using a 'shadow' drive is also useful to fill in areas of the image that have been initaily skipped.

Overall, the aim is to read each sector on the failing drive only once, to ensure as little wear as possible and hopefully allow a usable image to be acquired before the disk possibly dies.

 
Posted : 02/01/2010 3:00 pm
Robbo747
(@robbo747)
Posts: 37
Eminent Member
 

Firstly, sounds like your not doing things in a non-forensic manner. Seems like your using dd_rescue on the existing drive and your not examining the drive through some type of write-blocking device ?

Second, if it is for evidence purposes, how sure are you to say that the data you are looking for does not exist in bad sectors? Just because a sector has been marked as <BAD> in some Winblows app, doesn't mean to say that data still resides in it.

Although the drive may contain bad sectors, there still exists the possibility that potential data of evidential value may still reside in bad sectors. Consider these scenarios
a) Image the drive through some incremental mean, load up the 'incremental created image' in your forensic tool of choice, ie- FTK or X-Ways. Search through existing files, no nothing of interest here. Lets run a data carve for recovered/deleted- still nothing here. Oh well, case finished. (Any defence team would have a field day with this as it opens up so many holes)
Or
b) Obtain a raw 'dd' forensic bit-for-bit stream of the drive by using either FTK Imager or the built in imaging utility in X-Ways. Again, run a data carve, say in X-Ways and you may potentially locate the data your looking for.

 
Posted : 02/01/2010 4:35 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

Robbo747 - once you have bad disks then I think you are in a situation of half a loaf is better than no bread. There is always going to be an issue that critical data could be in sectors that cannot be read. However, partial reading may allow detection of critical files, and also an indication if files have been renamed, hidden etc

Data carving is useless when it comes to looking for data that is in an unread sector.

The best approach must be to try and recover the basic file structure, ie the MFT file. Once you have that then you can determine if unread sectors are parts of known good or deleted files. Obviously you only have the original filenames, dates etc and probably no idea of actual content. If a high percentage of the disk can be read correctly, it will give an indication of the likely hood that the data in the unread sectors will match the file names. However, it can never be 100% proof until a sector can be read.

ie If the unread sectors on a disk, that has not been tampered with, just point to operating system files, the chances are that no user data has been lost. If the unread data points to Excel files (in a fraud case) then it is very critical.

 
Posted : 02/01/2010 5:40 pm
(@shinobiyan)
Posts: 3
New Member
 

mabe you see http//www.acelaboratory.com product DataExtractor .this Best.

 
Posted : 02/01/2010 6:32 pm
(@douglasbrush)
Posts: 812
Prominent Member
 

http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=4525

This post has some suggestions that may help.

 
Posted : 02/01/2010 7:09 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

These are freeware (windows)
http//www.roadkil.net/program.php?ProgramID=29
http//www.datarescue.com/photorescue/v3/drdd.htm

jaclaz

 
Posted : 07/01/2010 1:15 am
(@encaser)
Posts: 14
Active Member
 

Hi

I would recommend to you DMDE, I'm using

http//dmde.com/download.html

it is good swofrware, for imaging a drive with bad sectors

 
Posted : 29/01/2014 6:13 pm
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

Extracting data from damaged hard drives

Damaged hard drives are unique objects of computer forensics. The main reason – they usually die suddenly. A hard drive can be damaged physically, or, for example, during unwanted desktop (or laptop) rebooting, making digital evidence inaccessible. This fact can keep bad guys from covering their traces – and it’s very important for us. Our lab gets up to 40% of damaged (both logically and physically) drives every month. In this article we’ll speak about extracting data from such drives.
More http//www.weare4n6.com/extracting-data-from-damaged-hard-drives/

 
Posted : 17/08/2016 7:27 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

In this article we’ll speak about extracting data from such drives.
More http//www.weare4n6.com/extracting-data-from-damaged-hard-drives/

Igor ) , with all due respect, maybe you put a little too much hype (or viceversa too much understatement) on this

Here is a very good example once SWAT stormed suspect’s apartment, while he was damaging his hard drive with a hammer. He had 30 minutes to totally destroy the drive. After the accident we got the drive. We changed damaged system board and used Data Extractor to image the drive. We got 98% of data. After we used EnCase Forensic for examination.

If after 30 minutes with a hammer 😯 all the guy managed to actually damage was the PCB (i.e. heads and platters were fine and not even misaligned) it doesn't really stand as a good example, OR you did much, much more than replacing the board (and possibly swapping the also undamaged ROM) …

jaclaz

 
Posted : 17/08/2016 8:37 pm
Page 1 / 2
Share: