I know the title of this thread will probably make a few people cringe but I was wondering realistically what writes would be made to a drive if imaging without a write blocker?
Basically I want to image an old HDD from one of my laptops just so I can have a play around. Am I likely to cause any damage to the data on the drive doing this?
In general, from what I've heard, file times will get updated, files related to the Recycle Bin will get created. There is probably more, but that's what I'm confident of.
I say, try it. As far as I know, no one has put this through a rigorous testing methodology.
Then publish. I am sure it has happened before, and will again, where an examiner will have a write-blocker fail, and it'd be cool to have a list of updates that are actually done to the drive. It may help undercut any defense attacks.
I know the title of this thread will probably make a few people cringe but I was wondering realistically what writes would be made to a drive if imaging without a write blocker?
Basically I want to image an old HDD from one of my laptops just so I can have a play around. Am I likely to cause any damage to the data on the drive doing this?
How are you proposing to copy the HDD? You can make a forensic image without using a physical write blocker by booting off a forensic boot device such as CD/USB with Caine or Paladin installed on it and imaging to an attached USB drive. Apologies if I've misunderstood your post.
In general, from what I've heard, file times will get updated, files related to the Recycle Bin will get created. There is probably more, but that's what I'm confident of.
I say, try it. As far as I know, no one has put this through a rigorous testing methodology.
Then publish. I am sure it has happened before, and will again, where an examiner will have a write-blocker fail, and it'd be cool to have a list of updates that are actually done to the drive. It may help undercut any defense attacks.
Well, that is assuming that a Windows (of the NT family) OS is used.
Not-so-casually a project WinFE has been developed to be able to use a Windows NT based (7 based) PE to image disks without "touching" their contents.
http//winfe.wordpress.com/
A selected number of Linux distro's can do this since years, BTW.
I know the title of this thread will probably make a few people cringe but I was wondering realistically what writes would be made to a drive if imaging without a write blocker?
Basically I want to image an old HDD from one of my laptops just so I can have a play around. Am I likely to cause any damage to the data on the drive doing this?
Absolutely NO damage can be done by simply imaging a drive, the point is whether "changes" will be made to it and if yes, the relevance of these "changes".
As an example, if the disk is "native Linux" and contains NOT a volume formatted with a MS recognized filesystem, the ONLY change that may happen when imaging from a "plain" Windows NT based system is that a Disk Signature will be written to the device's MBR.
On the other hand if the disk has already been mounted/connected to any PC running a Windows NT system it will already have a disk signature.
The whole set of modifications that a Windows NT OS can and will make to disk volumes, are connected with accessing and mounting the \\.\LogicalDrives, what WinFE does is simply to prevent Windows to auto-mount the device and it's contents.
jaclaz
I think the most significant 'danger' to a drive without a write blocker would be that of a virus checker. It could change files, and maybe even try a defragment the disk. There is also a danger that Windows might try and do a chkdsk if you boot the PC with the drive plugged in
However, if it just an image for your own use, then all will be OK.
One exercise you could try is to image the disk twice (probably to a file) and see what differences there are between the two images, taken at different times, maybe after a power off reset. Then try and work out the differences are.
Well, that is assuming that a Windows (of the NT family) OS is used.
I was operating under the assumption that he was asking about plugging a drive into a recent version of Windows and imaging it with a forensic imaging program, such as FTK Imager.
Thank you for your replies. I am going to image the hdd twice, first with a software write blocker and secondly using the same imaging utility and I will compare the changes.
I am quite intrigued now as to exactly what will happen and I will try to write up my results when I am done. I may even try the same with a couple of different versions of Windows and some Linux distros if I have the time.
It would also be interesting to see if different programs such as EnCase and FTK will make different writes, unfortunately I do not have access to EnCase so if anyone who has Encase would like to get involved in a little experiment let me know and we can compare results.
Thank you for your replies. I am going to image the hdd twice, first with a software write blocker and secondly using the same imaging utility and I will compare the changes.
I am quite intrigued now as to exactly what will happen and I will try to write up my results when I am done. I may even try the same with a couple of different versions of Windows and some Linux distros if I have the time.
It would also be interesting to see if different programs such as EnCase and FTK will make different writes, unfortunately I do not have access to EnCase so if anyone who has Encase would like to get involved in a little experiment let me know and we can compare results.
Excuse me 😯 , but it seems to me like you have not (yet) fully grasped the general idea. ? *any* imaging tool (as long as it uses a dd-like or sector by sector approach) will provide the SAME result (no matter if a write blocker is used or not), i.e. an EXACT copy of the original, EXACTLY as it is at the EXACT instant the image was taken.
The issue is exclusively about what may happen to the original when the disk is mounted/accessed (without a write blocker), i.e. what the OS that is running may alter on the original disk before the image is taken or during the time it takes to generate the image.
The issue in other words is not really about the imaging program, but rather on the OS on which it is run, there are "special" versions of Linux and - as seen - of PE aimed to avoid any write to the disk, if you are not going to use one of them you may have some "unwanted" writes, which additionally will depend on what are the contents of the disk before.
All dd-like programs access the disk at the lower possible level for the OS, in Windows NT that is the \\.\PhysicalDriven, the point is that the actual OS may also access the \\.\Logicaldrive device (drive letter if you prefer) and the filesystem on it.
A typical Windows NT system may also have any kind of services running in the background accessing the disk, residual scheduled tasks affecting *all* drives, etc.
Typical possible writes
- Disk signature (IF the original has NEVER been connected to any Windows NT OS)
- Recycle bin (IF the original has NEVER been connected to any Windows NT and depending on a number of different things)
- Last accessed timestamps (IF the Windows NT automatically tries to index a volume or a command like DIR is executed on it) see http//www.forensicfocus.com/Forums/viewtopic/t=9465/
jaclaz
I wrote this many years ago 😉
http//
Nanni Bassetti
http//
http//
FWIW, my go-to setup is FTK Imager + Tableau T35es or T8. But I've also compared resultant images from the same HDD with Tableau Imager.
And for cases where I've not been able to use a write-blocker I tested self-booting CDs and USB sticks with RAPTOR and WinFE (with FTK imager Lite) against my go-to setup and everything has verified i.e. hashes match.
The only danger with the self-booting option is missing the change in boot order sequence, but it's not a disaster.
HTH