±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 1
Overall: 27316
Visitors: 52

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Forensic Imaging of USB Drive with Corrupt File System

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Forensic Imaging of USB Drive with Corrupt File System

Post Posted: Mon Jul 07, 2014 9:39 am

I'm looking for some suggestions for imaging a USB thumb drive with a corrupt file system (FAT 32). I'm trying to do this with no change to the drive (or as little as possible.)

The USB drive is attached to the forensic computer with either a software write block or a Tableau hardware write block. Windows 7 sees the device and wants to "scan and fix" it upon insertion. I've used Encase, both version 6 and 7, to try to forensically image the entire disk. I can see the file structure as well as data while it is added to Encase.

Encase 7 will get to the corrupt part of the file system and then stops imaging; the imaging timer then begins to increment until I stop the process and generates no error messages. Encase 6 will err out after attempting to image the disk for about 10 minutes.

I have not yet tried to do a logical image of the allocated files but this is my next step. I'm looking for any other suggestions for methods to get a disk image without going through a "scan and fix" by Windows, if at all possible.

Mark  

mkel2000
Member
 
 
  

Re: Forensic Imaging of USB Drive with Corrupt File System

Post Posted: Mon Jul 07, 2014 9:48 am

Try with FTK Imager:
1. click on the first button in the toolbar ("Add evidence item"), select the USB stick from the list (you'll find its device descriptor and size in the list) then click Finish.
2. In the evidence tree right click on the root entry that you just added and select "Export disk image". Add a destination and click start.

It should work even when the stick has damaged flash sectors. If it still doesn't work try with GuyMager on DEFT Linux or ddrescue as a last resource.  

francesco
Senior Member
 
 
  

Re: Forensic Imaging of USB Drive with Corrupt File System

Post Posted: Mon Jul 07, 2014 9:50 am

Once you have your forensically secure image, I suggest you try data recovery software on the image.

Data carving might be a start, but this might fail if the files are fragmented, and the carving cannot handle fragmentation for the file type being investigated.

What file type(s) are you looking for?

A lot depends on how the file system has been damaged.

Forensically, you must not make ANY changes to the drive, but work on ways of discovering data.
_________________
Michael Cotgrove
www.cnwrecovery.com
cnwrecovery.blogspot.com/ 

mscotgrove
Senior Member
 
 
  

Re: Forensic Imaging of USB Drive with Corrupt File System

Post Posted: Mon Jul 07, 2014 10:42 am

- mkel2000
Windows 7 sees the device and wants to "scan and fix" it upon insertion.


Do you know what the problem is? Try 'chkdsk' without '/f' through a write blocker to just scan it, and get a report of what kind of problems are discovered.

Encase 7 will get to the corrupt part of the file system and then stops imaging; the imaging timer then begins to increment until I stop the process and generates no error messages. Encase 6 will err out after attempting to image the disk for about 10 minutes.


Sounds like the error is deeper than just a bad file system. EnCase should not be referring to the file system, only to sectors. What is it configured to do on read error? Default action is to skip 64 sectors, and try to continue. Have you changed that? Do you plan to?

Do you have any error messages in the system log from which you can identify faulty sectors?

I have not yet tried to do a logical image of the allocated files but this is my next step.


Why? Do you have a plan, or are you just trying random things?

I'd try to get an idea of exactly where the damage starts, and its extent, and then image the remaining parts of the drive. You should have a log message from EnCase or Windows that says where the damage starts. Then, try imaging the sectors at some suitable distance from there -- I don't know flash memory architecture well enough, but it's almost certainly an even power of 2. I'd start at 1Mb or 512 kb further into the memory, and if that works, decrease the skip, or if that also fails, increase it. That is, try to be intelligent about finding the end of the damage.

However, there's a point when there's no point in going on. If you reach a point where you've spent the planned budget for analyzing this drive just on imaging it and failing, you're not exactly ahead of the game.  

athulin
Senior Member
 
 
  

Re: Forensic Imaging of USB Drive with Corrupt File System

Post Posted: Mon Jul 07, 2014 3:08 pm

If I may, let's try NOT mixing things all together. (physical vs. logical).

If the flash drive is fully functional you do a dd-like or "forensic sound" PHYSICAL image (that is completely "agnostic" to the filesystem(s) used and to whether the filesystem(s) is/are valid or corrupted).
Then you make a copy (still "physical") of the image and either carve it for the files or attempt rewriting/fixing/repairing the filesystem structures.

Be warned that a chkdsk (even without "f" option) SHOULD (if it is the case) NEVER be run on the actual flash device directly if NOT through a writeblocker (only to underline the need of what athulin posted).

BUT, *any* disk imaging tool will work fine with a fully functional device, so, as already said before, it is very likely that you have a much "deeper" problem, including unreadable (faulty) areas of the device.

Your best option, if this latter is the case, is actually ddrescue (or a similar "recovery oriented" tool) that will automate (given the correct options) the skipping of the sectors and also further attmpts to read.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Forensic Imaging of USB Drive with Corrupt File System

Post Posted: Tue Jul 08, 2014 4:20 pm

Thanks for the replies and suggestions. I was able to forensically image the thumb drive using a Tableau write block and FTK Imager to create a dd image. I moved the dd image into Encase 7 and then re-acquired it into the Encase format without issue.

I believe that there are some issues with Encase 7 and imaging of hardware that may have issues. I had this issue on three different thumb drives trying to image with Encase 7. It doesn't appear that the error checking process for Encase 7's imager works well (or at all) if presented with hardware that has any kind of "issues."

Mark  

mkel2000
Member
 
 
  

Re: Forensic Imaging of USB Drive with Corrupt File System

Post Posted: Wed Jul 09, 2014 5:34 am

I think one small comment is that Encase is a forensic investigation program, and not a data recovery program. There can be a very large overlap between these applications, but one size may not always fit all.
_________________
Michael Cotgrove
www.cnwrecovery.com
cnwrecovery.blogspot.com/ 

mscotgrove
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next