I will agree with mscotgrove. Seen this a few times, its just a bad drive. The good news is that at least it is reading something.. I got a drive a couple of years back that did the same, the problem was in the initial sectors. So upto about 40GB or so imaging took like 3 days, which then dramatically sped up and the rest of the 280GB was done in a few hours.
Point to not was - NO forensic tool would work with that drive, I ended up using ddrescue in linux, where you can set the no. of times it attempts to re-read, timeout, chunk size, etc.. If you think its going too slow, then set a large chunk size, you'll lose some data but it will be done faster and there are more chances that you will get data from the drive, else the drive will just get stressed and possibly fail.
If this is not a criminal case, and only for data recovery because of drive failure, then I would recommend drilling down to the %root% and create a logical AD1 image of the data. It sounds like there is no need for physical data from unalloc, so simply getting a logical may relieve stress on the drive and skip bad sectors all together.
Another option is to gather critical locations of files from the client that are most desired and attempt an export (i.e. pictures, itunes etc.).
Just some thoughts.
Oh and as a side note with FTK Imager - I have personally seen the best performance using the default "6" compression for both AD1 and E01 formats.
bad sectors on the hdd?
Do you have any other tools you can try?
If you have access to Xways try imaging the drive in reverse as DD (not sure what other tools can reverse image but there are bound to be some out there).
I am sure there are bad sectors.
It just angers me when the software writers haven't resolved problems like this in the 14 years that I have been in forensics.. but, I am not a programmer either.
I may try a linux distro, or two, but other than that, no.I have never used Xways but I have heard good things and I may end up purchasing it… especially if it can do a reverse acquisition…
THey may be the ones that have solved this bad sector issue.10 hours, 61,657KB so far..
X-ways has several means to get around this ("Alternative disk access method"), like not reading a sector for more than, say 1000ms, before moving on. This alone will save you a boatload of time when nothing will read those sectors anyways.
Reverse imaging is another nice thing as others have mentioned.
Also, since the accent is now more on "data recovery", consider using tools that are designed to do data recovery, see these
http//www.forensicfocus.com/Forums/viewtopic/p=6568343/#6568343
http//www.forensicfocus.com/Forums/viewtopic/t=10839/
jaclaz
The higher the compression the longer its takes. It could be you have bad sectors that are influencing that as well.
The higher the compression the longer its takes. It could be you have bad sectors that are influencing that as well.
Actually this is what I thought too but, not true… we tested this
Was the destination drive compressed, encrypted or sparse either through the OS, file system or the hardware?
The higher the compression the longer its takes. It could be you have bad sectors that are influencing that as well.
Actually this is what I thought too but, not true… we tested this
the destination drive? no…
on our test neither drive was.
I have never encountered higher compression speeding things up before…very odd /
I thought the opposite too… Maybe if I ever get this drive imaged I will run another test and post the results.
Trying Paladin4 now.