±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 32465
New Yesterday: 4 Visitors: 129

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

dcfldd on non-FreeBSD systems produces extra "bad sectors"?

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2, 3, 4  Next 
  

dcfldd on non-FreeBSD systems produces extra "bad sectors"?

Post Posted: Thu May 22, 2008 10:04 pm

Greetings,

This was found on the Wikipedia data recovery page:

""Open source tools such as DCFLdd v1.3.4-1 can usually recover all data, with exception of the physically damaged sectors. (It is important that DCFLdd v1.3.4-1 be installed on a FreeBSD operating system. Studies have shown that the same program installed on a Linux system produces extra "bad sectors", resulting in the loss of information that is actually available.) [1]"

reference: ^ Cyrus Robinson, IXImager Bad Sector Drive Imaging Study. Defense Cyber Crime Institute Cyber Files Reports and studies are available only to US governmental agencies and law enforcement organizations."

Has anyone else heard about this problem with dcfldd? Any more details? Kind of disturbing information.

-David
_________________
CISSP, CCE, EnCE, Licensed Private Investigator (CA) 

kovar
Senior Member
 
 
  

Re: dcfldd on non-FreeBSD systems produces extra "bad sector

Post Posted: Fri May 23, 2008 6:16 am

Okay, so here's a similar paper with similar results:

dfrws.org/2007/proceed...3-lyle.pdf

I've tested this and can confirm their findings (similar - so far). Testing is still underway. I did a presentation on this issue at our annual in-house conference, along with alternatives and solutions. I'll get around to posting them when I'm done testing. I'm not paid to be a researcher, so time is limited for me to "play" with this.

The problem with just pushing out the results right now is that even I find my testing methods "questionable". I don't want to jump to conclusions or make hasty accusations on the accuracy of tools. Coming up with realistic and reproducible "bad sectors" is tough. But using MHDD to create fake ones results in the same findings as the document cited above.

Bottom line is that "conv=noerror,sync" is BAD (for more than just the skipped sectors reason). If you need to use it, you are using the wrong tool (IMHO). I will comfortably say that much. There are better options out there.

My $.02.
Flame away...

Barry  

bgrundy
Senior Member
 
 
  

Re: dcfldd on non-FreeBSD systems produces extra "bad sectors"?

Post Posted: Fri May 23, 2008 12:16 pm

Greetings,

Will your testing include commercial and hardware based tools? The report you linked to is very interesting, but I'd love to know how other tools fared on the same test disks. Going with FTK Imager, or a Talon, based on this report is all well and good until you find out that they have a similar problem.

-David
_________________
CISSP, CCE, EnCE, Licensed Private Investigator (CA) 

kovar
Senior Member
 
 
  

Re: dcfldd on non-FreeBSD systems produces extra "bad sector

Post Posted: Fri May 23, 2008 2:22 pm

- kovar

Will your testing include commercial and hardware based tools?
-David


Yes. And so far the problem does not occur with tools other than Linux based dd tools accessed through the kernel. Using /dev/raw (or ddrescue with "-d") alleviates the problem, but like I said, I'm still testing.  

bgrundy
Senior Member
 
 
  

Re: dcfldd on non-FreeBSD systems produces extra "bad sector

Post Posted: Fri May 23, 2008 4:07 pm

- kovar
Greetings,

Will your testing include commercial and hardware based tools? The report you linked to is very interesting, but I'd love to know how other tools fared on the same test disks. Going with FTK Imager, or a Talon, based on this report is all well and good until you find out that they have a similar problem.

-David


I saw an Image Master Solo III lying around our office a while back, and noticed that it uses Linux DD to capture its images.

I'm not saying that product is affected, and at the minute I dont have the hardware at hand, but I'd be interested in testing it.

Ronan  

ronanmagee
Senior Member
 
 
  

Re: dcfldd on non-FreeBSD systems produces extra "bad sectors"?

Post Posted: Fri May 23, 2008 4:13 pm

Seems like this issue comes up from time to time. Here is a thread that touches on the subject from early 2007:

www.cybercrimes.it/for...2&topic=24
(Italian).

Here is a more recent posting on the subject matter:

tech.groups.yahoo.com/...essage/82.

ReC  

Rossetoecioccolato
Member
 
 
  

Re: dcfldd on non-FreeBSD systems produces extra "bad sectors"?

Post Posted: Fri May 23, 2008 4:30 pm

Greetings,

I just skimmed through the NIST reports:

nij.ncjrs.gov/publicat...op&PSID=31

The problem appears to be with the Linux kernel, thus affecting all tools running on Linux. This specifically includes Helix.

It doesn't include IXimager which is running on a Linux micro kernel.

I don't know how it affects tools running on OS X but would guess that dcfldd running on OS X would not manifest this problem.

-David

(It's amusing to note that the message quoted in the Yahoo! group is the one I sent to the CCE list this morning. Why they cross-posted it without replying to the original list is beyond me.)
_________________
CISSP, CCE, EnCE, Licensed Private Investigator (CA) 

kovar
Senior Member
 
 

Reply to topicReply to topic

Share and Like this forum topic to get more replies




Page 1 of 4
Go to page 1, 2, 3, 4  Next