±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 33057
New Yesterday: 5 Visitors: 191

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Use dd with compression, please advise

Computer forensics training and education issues. If you are looking for topic suggestions for your project, thesis or dissertation please post here rather than the general discussion forum.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Use dd with compression, please advise

Post Posted: Mon Oct 09, 2017 7:33 am

Hello,

I'm trying to use your DD to save a disk image with compression, it seems that saving with compression is working as I see the result image with 'gz' suffix and the file size is really compressed.

But When I'll try to restore/reapply the image into another system It is unable to boot, process is not working when I put the 'decomp' option.

To GET the image I'm using this sentence:

dd -v if=\\.\Physicaldrive0 of=z:\image\myimage.img conv=noerror,comp --localwrt

Image is created and zipped, and all seems correct. Without zip compression image is 80Gb, compressed is 8Gb..

The problem is when I'll try to restore/reapply the image onto a similar system.

dd -v if=z:\image\myimage.img.gz of=\\.\PhysicalDrive0 conv=noerror,decomp --localwrt

I'll have this error message

"unable to copy file!"

What's wrong?
i've also tried using with the with "-comp gzip / --decomp gzip", but I'll have the same error.
Until I could see, my command syntac, options are apparently correct. I've also got some externals logs, but the content of these are the same error that I could see in the screen.

Please advise how to use DD with compression/decompresion options.

Best Regards  

pmico
Newbie
 
 
  

Re: Use dd with compression, please advise

Post Posted: Mon Oct 09, 2017 7:57 am

I haven't used DD on Windows and have not come across compression being available in DD directly. One would normally pipe the output of DD into a compression program....

The only 2 things that stand out as possibilities are:

1. When you compress the image you don't seem to add .gz to the output filename so maybe you should omit it from the input filename when you are decompressing it? Maybe the decompression DD is looking for a file called image.img.gz.gz rather than image.img.gz. So try: dd -v if=z:\image\myimage.img of=\\.\PhysicalDrive0 conv=noerror,decomp --localwrt

2. Maybe you have read only access to \\.\PhysicalDrive0

I'd be interested where you got your DD for Windows from?  

AmNe5iA
Member
 
 
  

Re: Use dd with compression, please advise

Post Posted: Mon Oct 09, 2017 10:09 am

Hi
I'm trying to use this DD, because is an 'all-in-one' and seems that you don't need other tools to compress the image, and seems to be quicker than using a dd + gzip

dd belongs to Forensic Acquistition utilities:
www.gmgsystemsinc.com/fau/

When I capture the image:
dd -v if=\\.\Physicaldrive0 of=z:\image\myimage.img conv=noerror,comp --localwrt

The GZ suffix is automatically added, with the above command I'll have mymige.img.gz file

and If I try to restore, like you suggest, without the "gz" suffix like this
dd -v if=\\.\Physicaldrive0 of=z:\image\myimage.img conv=noerror,comp --localwrt

it is unable to find the image, then I'll have to put the image fullname, with suffix.


I've got some examples from this document.. and I guess that my syntax is not the problem
mirrors.pdp-11.ru/_vax...lities.pdf

Disk is in write mode, because when I use another dd for windows I was able to recover the image
I'm trying to recover a linux machine, but I guess that It should not be a problem for a DD.  

pmico
Newbie
 
 
  

Re: Use dd with compression, please advise

Post Posted: Mon Oct 09, 2017 1:03 pm

- pmico


and If I try to restore, like you suggest, without the "gz" suffix like this
dd -v if=\\.\Physicaldrive0 of=z:\image\myimage.img conv=noerror,comp --localwrt


That is not what AmNe5iA posted, but I don't think that even if you use the correct if and of it will change anything.


Could it be a "multidot" problem?
No,as the example in the PDF does have a few multidot filenames.

Try (for test only) to make a dd of a file and restoring it, aka:
dd.exe of=myfile.txt.gz if=d:\images\myfile.txt conv=noerror,comp
dd.exe if=myfile.txt.gz of=d:\images\myfile.txt conv=noerror,decomp

It could be an issue of accessing the \\.\Physicaldrive, which Windows OS are you running?

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Use dd with compression, please advise

Post Posted: Mon Oct 09, 2017 2:58 pm

Hi,

First, Thanks for your suggestions...

Regarding the test that you sugested, I've just done with this result

Note: 'drives.cmd' is a plain text file that I've used for this test, and I had to use the 'localwrt' option because it is required.

dd -v if=drives.cmd of=myfile.txt.gz conv=noerror,comp --localwrt

-> it creates a file named myfile.txt.gz.gz (adds extra sufix)

When I went to recover the file, I used

dd -v if=myfile.txt.gz.gz of=myfile.txt conv=noerror,decomp --localwrt

But output file 'myfile.txt' has zero bytes..


Regarding Disk, I'm using this wmi command to identify the drive.. name is \\.\Physicaldrive0

wmic diskdrive get name, size, model

I'm asuming that PhysICalDrive0 is the right one, because this drive could be accesed to export the file using DD

Regards  

pmico
Newbie
 
 
  

Re: Use dd with compression, please advise

Post Posted: Tue Oct 10, 2017 12:34 am

Hi again,

just to complement my previous post.

I've did a little more test with this DD version using single file,

I've did a test with a plain txt file

dd if=myfile.txt of=myfile.img conv=noerror --localwrt

dd if=myfile.img of=myfile1.txt conv=noerror --localwrt

the contents of the file 'myfile1.txt' was something like:

VWdCbEFHY0Fjd0JvQUc4QWRBQWdBREVBTGdBNUFDNEFNQUFnQUhnQU5nQTBBQ0FB
VlFCdUFHa0FZd0J2QUdRQQ0KWlFBTkFBb0FRd0J2QUcwQWJRQmxBRzRBZEFCekFE
b0FJQUFOQUFvQVJBQmhBSFFBWlFCMEFHa0FiUUJsQURvQQ0KSUFBeUFEQUFNUUEz

but...

when I used the command without 'noerror' option, I was able to recover the file

These format
dd if=myfile.txt of=myfile.img --localwrt

I've also did the test using the option 'comp/decomp'... and it works, the problem is when I use the option 'noerror'

Noerror option means 'continue reading after errors' then ??? If it transforms the file, the output seems encoded..

Or I don't know how touse this tool, or I couldm't rely on this tool ...


I've been also working with this one, more similar to the standard unix 'dd', and I was able to get/recover without problems, but with the inconvenience that I'll have to use and additional tool to compress the output and it takes quite long time

www.chrysocome.net/dd

Regards  

pmico
Newbie
 
 
  

Re: Use dd with compression, please advise

Post Posted: Tue Oct 10, 2017 4:37 am

Technically the Chrysocome dd is a "different "program (it is re-written in Delphi).

"Real" ports of dd are either non-existing or not fully working or - just like in the case of the FAU version - overcomplicated by adding a number of (BTW often useful) options .

Just for the fun of it (and FYI) I did some time ago a proper "hunt" for one:
reboot.pro/topic/15207...for-ddexe/

Back to your issue, maybe the --conv=noerror is one problem (and can be avoided by not using the switch).

But the original one seems like an issue accessing Physicaldrive for writing, I asked you about the OS involved because on recent Windows OS (Vista and later) some parts of the Physicaldrive cannot be accessed in write mode, you need to put the disk offline (or use some other tricks).

See here:
reboot.pro/topic/8200-...r/?p=73590
communities.vmware.com.../DOC-10455
reboot.pro/topic/12413...00-update/
reboot.pro/topic/15069-lockvolume/

The FAU dd being (mainly) aimed at taking images of physicaldrives (and not usually to restore them) may well be missing a similar mechanism and the .PDF you referenced being dated 2003 was written when 2K/XP/2003 were in use (they don't have the same "locking" mechanism as later Windows NT based OS's) and on them the FAU dd should work flawlessly for restore as well.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 

Page 1 of 2
Go to page 1, 2  Next