Use dd with compres...
 
Notifications
Clear all

Use dd with compression, please advise

9 Posts
3 Users
0 Likes
2,354 Views
(@pmico)
Posts: 5
Active Member
Topic starter
 

Hello,

I'm trying to use your DD to save a disk image with compression, it seems that saving with compression is working as I see the result image with 'gz' suffix and the file size is really compressed.

But When I'll try to restore/reapply the image into another system It is unable to boot, process is not working when I put the 'decomp' option.

To GET the image I'm using this sentence

dd -v if=\\.\Physicaldrive0 of=z\image\myimage.img conv=noerror,comp –localwrt

Image is created and zipped, and all seems correct. Without zip compression image is 80Gb, compressed is 8Gb..

The problem is when I'll try to restore/reapply the image onto a similar system.

dd -v if=z\image\myimage.img.gz of=\\.\PhysicalDrive0 conv=noerror,decomp –localwrt

I'll have this error message

"unable to copy file!"

What's wrong?
i've also tried using with the with "-comp gzip / –decomp gzip", but I'll have the same error.
Until I could see, my command syntac, options are apparently correct. I've also got some externals logs, but the content of these are the same error that I could see in the screen.

Please advise how to use DD with compression/decompresion options.

Best Regards

 
Posted : 09/10/2017 1:33 pm
AmNe5iA
(@amne5ia)
Posts: 173
Estimable Member
 

I haven't used DD on Windows and have not come across compression being available in DD directly. One would normally pipe the output of DD into a compression program….

The only 2 things that stand out as possibilities are

1. When you compress the image you don't seem to add .gz to the output filename so maybe you should omit it from the input filename when you are decompressing it? Maybe the decompression DD is looking for a file called image.img.gz.gz rather than image.img.gz. So try dd -v if=z\image\myimage.img of=\\.\PhysicalDrive0 conv=noerror,decomp –localwrt

2. Maybe you have read only access to \\.\PhysicalDrive0

I'd be interested where you got your DD for Windows from?

 
Posted : 09/10/2017 1:57 pm
(@pmico)
Posts: 5
Active Member
Topic starter
 

Hi
I'm trying to use this DD, because is an 'all-in-one' and seems that you don't need other tools to compress the image, and seems to be quicker than using a dd + gzip

dd belongs to Forensic Acquistition utilities
http//www.gmgsystemsinc.com/fau/

When I capture the image
dd -v if=\\.\Physicaldrive0 of=z\image\myimage.img conv=noerror,comp –localwrt

The GZ suffix is automatically added, with the above command I'll have mymige.img.gz file

and If I try to restore, like you suggest, without the "gz" suffix like this
dd -v if=\\.\Physicaldrive0 of=z\image\myimage.img conv=noerror,comp –localwrt

it is unable to find the image, then I'll have to put the image fullname, with suffix.

I've got some examples from this document.. and I guess that my syntax is not the problem
http//mirrors.pdp-11.ru/_vax/www.bandwidthco.com/whitepapers/compforensics/dimaging/Forensic%20Acquisition%20Utilities.pdf

Disk is in write mode, because when I use another dd for windows I was able to recover the image
I'm trying to recover a linux machine, but I guess that It should not be a problem for a DD.

 
Posted : 09/10/2017 4:09 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

and If I try to restore, like you suggest, without the "gz" suffix like this
dd -v if=\\.\Physicaldrive0 of=z\image\myimage.img conv=noerror,comp –localwrt

That is not what AmNe5iA posted, but I don't think that even if you use the correct if and of it will change anything.

Could it be a "multidot" problem?
No,as the example in the PDF does have a few multidot filenames.

Try (for test only) to make a dd of a file and restoring it, aka
dd.exe of=myfile.txt.gz if=d\images\myfile.txt conv=noerror,comp
dd.exe if=myfile.txt.gz of=d\images\myfile.txt conv=noerror,decomp

It could be an issue of accessing the \\.\Physicaldrive, which Windows OS are you running?

jaclaz

 
Posted : 09/10/2017 7:03 pm
(@pmico)
Posts: 5
Active Member
Topic starter
 

Hi,

First, Thanks for your suggestions…

Regarding the test that you sugested, I've just done with this result

Note 'drives.cmd' is a plain text file that I've used for this test, and I had to use the 'localwrt' option because it is required.

dd -v if=drives.cmd of=myfile.txt.gz conv=noerror,comp –localwrt

-> it creates a file named myfile.txt.gz.gz (adds extra sufix)

When I went to recover the file, I used

dd -v if=myfile.txt.gz.gz of=myfile.txt conv=noerror,decomp –localwrt

But output file 'myfile.txt' has zero bytes..

Regarding Disk, I'm using this wmi command to identify the drive.. name is \\.\Physicaldrive0

wmic diskdrive get name, size, model

I'm asuming that PhysICalDrive0 is the right one, because this drive could be accesed to export the file using DD

Regards

 
Posted : 09/10/2017 8:58 pm
(@pmico)
Posts: 5
Active Member
Topic starter
 

Hi again,

just to complement my previous post.

I've did a little more test with this DD version using single file,

I've did a test with a plain txt file

dd if=myfile.txt of=myfile.img conv=noerror –localwrt

dd if=myfile.img of=myfile1.txt conv=noerror –localwrt

the contents of the file 'myfile1.txt' was something like

VWdCbEFHY0Fjd0JvQUc4QWRBQWdBREVBTGdBNUFDNEFNQUFnQUhnQU5nQTBBQ0FB
VlFCdUFHa0FZd0J2QUdRQQ0KWlFBTkFBb0FRd0J2QUcwQWJRQmxBRzRBZEFCekFE
b0FJQUFOQUFvQVJBQmhBSFFBWlFCMEFHa0FiUUJsQURvQQ0KSUFBeUFEQUFNUUEz

but…

when I used the command without 'noerror' option, I was able to recover the file

These format
dd if=myfile.txt of=myfile.img –localwrt

I've also did the test using the option 'comp/decomp'… and it works, the problem is when I use the option 'noerror'

Noerror option means 'continue reading after errors' then ??? If it transforms the file, the output seems encoded..

Or I don't know how touse this tool, or I couldm't rely on this tool …

I've been also working with this one, more similar to the standard unix 'dd', and I was able to get/recover without problems, but with the inconvenience that I'll have to use and additional tool to compress the output and it takes quite long time

http//www.chrysocome.net/dd

Regards

 
Posted : 10/10/2017 6:34 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Technically the Chrysocome dd is a "different "program (it is re-written in Delphi).

"Real" ports of dd are either non-existing or not fully working or - just like in the case of the FAU version - overcomplicated by adding a number of (BTW often useful) options .

Just for the fun of it (and FYI) I did some time ago a proper "hunt" for one
http//reboot.pro/topic/15207-why-everything-is-so-dmn-diificult-a-web-quest-for-ddexe/

Back to your issue, maybe the –conv=noerror is one problem (and can be avoided by not using the switch).

But the original one seems like an issue accessing Physicaldrive for writing, I asked you about the OS involved because on recent Windows OS (Vista and later) some parts of the Physicaldrive cannot be accessed in write mode, you need to put the disk offline (or use some other tricks).

See here
http//reboot.pro/topic/8200-grubinstexe-write-failed-vista-ntfs-bootsector/?p=73590
https://communities.vmware.com/docs/DOC-10455
http//reboot.pro/topic/12413-lockdismount-v0300-update/
http//reboot.pro/topic/15069-lockvolume/

The FAU dd being (mainly) aimed at taking images of physicaldrives (and not usually to restore them) may well be missing a similar mechanism and the .PDF you referenced being dated 2003 was written when 2K/XP/2003 were in use (they don't have the same "locking" mechanism as later Windows NT based OS's) and on them the FAU dd should work flawlessly for restore as well.

jaclaz

 
Posted : 10/10/2017 10:37 am
(@pmico)
Posts: 5
Active Member
Topic starter
 

Hi,

Just removing the 'noerror' option works like a charm…I had no problem storing file, and no problem restoring..

This is the 'formula' I've used, drive where "z" is a mapped network drive

dd -v if=\\.\Physicaldrive0 of=z\myfile.img conv=comp –localwrt
dd -v if=z\myfile.img.gz of=\\.\Physicaldrive0 conv=decomp –localwrt

This 'dd' is quicker than using a combination of dd + 7zip, specially for restore times

Best Regards

 
Posted : 11/10/2017 11:03 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Hi,

Just removing the 'noerror' option works like a charm…I had no problem storing file, and no problem restoring..

Hmmm. ?
It may depend on situations, the \\.\PhysicalDrive0 normally is the boot disk and as such is in use, it would be needed to know your exact configuration and the exact OS involved to be sure (if you booted from a PE of some kind based on 7 or later then probably the \\.\PhysicalDrive0 is accessible just fine anyway as it contains no boot/system volumes and the PE is boored from CD/DVD or from a USB stick that becomes \\.\Physicaldrive1, and besides GPT disks may behave differently from MBR).

Still, JFYI, what you tested is not a confirmation of *anything*.

Mind you not that it didn't work (most probably it did ) ) only your testing procedure does not guarantee it worked.

The procedure should be
1) make a dd image of the physicaldrive
2) make some changes to the physicaldrive contents (or wipe it)
3) restore the dd image taken in #1
4) make a new dd image of the physicaldrive
5) compare the images in #1 and #4

dd -v if=\\.\Physicaldrive0 of=z\myfile.img conv=comp –localwrt
dd -v if=z\myfile.img.gz of=\\.\Physicaldrive0 conv=decomp –localwrt

In the first line the –localwrt should not be needed.

jaclaz

 
Posted : 11/10/2017 3:00 pm
Share: