Imaging USB drive
I have a Packard Bell Store and Save 3500 USB drive to image.
Owner says there is no power lead for it so I have had to acquire one that powers the drive but is not an original for that drive.
Tried to image the drive the following ways
Out of case attached via write blocker in DOS (encase) and helix.
In case using USB write blocker using Encase 3, 4 ,5 and 6 - FTK, WinHex and Helix.
All times it starts and then slows to less that .002 Mb per min after about 10% of the drive.
I have even tried creating LEF in encase of the individual folders with the same result.
Even just trying to copy the files across starts and then slows to less that a snails pace with a 15Mb zip file taking over 4 hours (there are hundreds on the drive).
Has any body come across this that may have a suggestion that would get this drive imaged in less than my life time please.
1st option of course is the drive is useless but the owner swears it was working (it has a lot of his music and films on as well as other things) when seized.
Thanks in advance.
The method of swearing at it and throwing it against the wall is already on the list of things to do. lol
can the device be opened? maybe the power lead you bought does not provide enough power to the device. Or maybe the drive is failing.
Can you use a tool to read the SMART table to see if there are some parameters that look like the drive is about to fail ?
Thanks for that. I have actually had the drive out of the container and tried to image in DOS but alas no luck as yet. The more it goes the more i am leaning toward a failing drive.
If you look at the drive (with the write blocker) in FTK Imager, WinHex, etc. do all the expected files appear?
I read that you were using Helix. Are you booting to Helix and mounting the drive or using the Windows application? I have found some occasions where booting to Linux allows access to drives that Windows (and even DOS) do not like to play with.
If I recall, there are also some goofy sync apps that came with that device. Perhaps using those tools would give access to the files.
This is the strangest thing.
I have tried helix (Windows and booting) both ways. Neither will image for more than 5 or 10 minutes.
Another strange thing is when plugged into a machine through a write blocker the drive pops up as normal and I can scroll through it, access all folders and view all files ( images, audio, video) OK. If however I try to create logical evidence files or image an individual folder it wont do it (freezes after a few seconds) or even if I just try to copy a file out onto my work machine it freezes)
Not even shouting and swearing at it works. Strange indeed.
Have you tried dcfldd with helix booted to console mode loaded into RAM?
I would suggest that you are looking at a disk with numerous bad sectors and FTK Imager will eventually image it but will record a shedload of errors. You also run the risk of damaging the disk further the more you access it. I may be wrong and members are free to correct me but the reason you can see the files via normal write blocked access may be due to the possibility that the disks $mft is intact but the sectors pointing to the files may not be in the best of shape. Hope you have some success.
The reason you are able to see the folder structure is that it is reading as far as the FAT or MFT. I think you are correct in that you have a failing drive. Your best bet is to try doing a dd image, it will ignore the errors and make the image as it is whereas Encase will try and re-read sectors reporting errors.
I ran into the same situation last weekend. Two Dell computers with Windows XP installed. Both loaded with the NIST configuration for secure Windows XP. EnCase and FTK Imager would not work. Could view the file structure, but FTK Imager would fail when asked to image the folder structure. Had to use IXImager to get a clean image of both drives. Fortunate that I had it available. Processing the computers using ILOOK. It is a shame that ILOOK lost its Federal funding.
DDFLCDD is also a good bet to try as well.(DOD's version of DD) I have a free gui on my site if you need it(www.xabersoft.com). however if you are working with helix you probably dont… I would try at the physical level if possible (assuming the OS sees it as physical device) behind a USB write blocker
Hope it helps