SIFT Workstation 2....
 
Notifications
Clear all

SIFT Workstation 2.13 / ddrescue

8 Posts
4 Users
0 Likes
737 Views
(@jd9000)
Posts: 4
New Member
Topic starter
 

Hello All,

I am new but have searched before posting. 8)

Currently, I am trying to use ddrescue to make a raw image file of a sd card to recover deleted files. The examples I have found both on the GNU ddrescue website as well as other random websites have not offered any help and use a different syntax. Below is a copy of the output I received from the terminal window. Note SD1.img is created but is 0 bytes. In addition, no example I have found states you have to name your file and format. (i.E. SD1.img)

sansforensics@SIFT-Workstation~$ ddrescue -i0 -o0 "/media/New Volume" /media/Storage/SD1.img

Press Ctrl-C to interrupt
rescued 0 B, errsize 4096 B, current rate 0 B/s
ipos 3072 B, errors 1, average rate 0 B/s
opos 3072 B
Finished

 
Posted : 25/08/2012 7:34 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Hello All,

I am new but have searched before posting. 8)

Currently, I am trying to use ddrescue to make a raw image file of a sd card to recover deleted files. The examples I have found both on the GNU ddrescue website as well as other random websites have not offered any help and use a different syntax. Below is a copy of the output I received from the terminal window. Note SD1.img is created but is 0 bytes. In addition, no example I have found states you have to name your file and format. (i.E. SD1.img)

sansforensics@SIFT-Workstation~$ ddrescue -i0 -o0 "/media/New Volume" /media/Storage/SD1.img

Press Ctrl-C to interrupt
rescued 0 B, errsize 4096 B, current rate 0 B/s
ipos 3072 B, errors 1, average rate 0 B/s
opos 3072 B
Finished

There is a lot of confusion on this, there are ddrescue and dd_rescue (and often one or the other is mis-spelled or badly referenced).
Judging from the syntax you used you are using GNU ddrescue
http//www.gnu.org/software/ddrescue/manual/ddrescue_manual.html
but the source "/media/New Volume" looks strange to me.
You are going to image a device, i.e. the source should be something like /dev/hdb, /dev/hdc, dev/sda, etc., and expecially while doing a recovery you ashould use a logfile.
The Target can be (besides a device) *any* file, i.e. the /media/Storage/SD1.img you used is as good as any other name.
Try running fdisk -l, see
http//www.linuxforums.org/forum/newbie/147887-manual-mount-sd-card-reader-laptop.html
(but once found the device, use ddrescue and not dd)

jaclaz

 
Posted : 25/08/2012 9:35 pm
(@jd9000)
Posts: 4
New Member
Topic starter
 

Hey Jaclaz,

Thanks for the help. It turns out my sdcard reader had mounted the sdcard under /dev/sdg1. Is there any benefit or advantage to save the file as something other than a .img file? Ill do some googling later but do you know off the top of your head the support file formats of ddrescue?

 
Posted : 25/08/2012 10:05 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Hey Jaclaz,

Thanks for the help. It turns out my sdcard reader had mounted the sdcard under /dev/sdg1.

But remember that you want to image the device, i.e. /dev/sdg and not the volume on it (though normally on UNpartitioned media they will likely be the same, you shouldn't assume as much).

Is there any benefit or advantage to save the file as something other than a .img file? Ill do some googling later but do you know off the top of your head the support file formats of ddrescue?

No, here you have a misconception that needs to be cleared.

What matters are the CONTENTS of a file NOT the name or it's extension.

But specifically dd (or ddrescue or dd_rescue) or any similar RAW imaging tool not only do not care in the least what name you give to a file, they also don't care about their contents.

What you get after having used one of this tools is a byte-by-byte or sector-by-sector image of the source.
I.e. you have NOT any particular file format (or header or structure) you have a bunch of bytes, actually (and hopefully) an exact copy of the original bunch of bytes

I personally use the extensions
.ima for UNpartitioned media (such as floppies and superfloppies and "normal" SD card)
and
.img for partitioned media (whole hard disks)
but it is just a convention or a quick mnemonics.
Lots of people and also many tools use indifferently .img.

But you can still call the target file Mickey.Mouse or Sylvester_the.cat allright.

Once you will need to open these files with tools like (say) Winimage or mount them in virtual disk drivers like (say) Imdisk or similar (under Windows) then the use of .ima or .img will make things easier (file associations, etc.) but there is no actual *need* to do so.

jaclaz

 
Posted : 25/08/2012 10:45 pm
(@jd9000)
Posts: 4
New Member
Topic starter
 

thanks alot, your explanations are very clear and helpful. I have begun to reimage the whole device and not the volume. I haven't used linux much, so good thing you pointed that out otherwise I wouldn't have known. I found the following helpful.

http//publib.boulder.ibm.com/infocenter/dsichelp/ds8000ic/topic/com.ibm.storage.ssic.help.doc/f2c_linuxdevnaming_2hsag8.html

 
Posted : 25/08/2012 11:13 pm
(@bitstorm)
Posts: 53
Trusted Member
 

And keep in mind to use a file system (ext3/4) on the medium to write the image on supporting big files. Otherwile it will interrupt after the file size limit (like FAT32,..) is reached.

 
Posted : 27/08/2012 12:54 pm
(@jd9000)
Posts: 4
New Member
Topic starter
 

Bitstorm I don't follow you, can you explain it in a different way? Do you mean when i make the raw image save it on a filesystem other then fat32?

 
Posted : 29/08/2012 3:00 am
KungFuAction
(@kungfuaction)
Posts: 109
Estimable Member
 

FAT32 maximum file size limit 4GB (if the image will be larger than 4GB in size, do not use FAT32 unless you use EWF to split the image into 4 GB or lower files).

I recommend using NTFS, as both Linux and Windows can both read and write in that file system format, and you don't have that file size limitation.

 
Posted : 29/08/2012 3:13 am
Share: