±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36595
New Yesterday: 4 Visitors: 149

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Imaging USB drive

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

mark777
Senior Member
 

Imaging USB drive

Post Posted: Oct 15, 08 13:28

I have a Packard Bell Store and Save 3500 USB drive to image.

Owner says there is no power lead for it so I have had to acquire one that powers the drive but is not an original for that drive.

Tried to image the drive the following ways

Out of case attached via write blocker in DOS (encase) and helix.

In case using USB write blocker using Encase 3, 4 ,5 and 6 - FTK, WinHex and Helix.

All times it starts and then slows to less that .002 Mb per min after about 10% of the drive.

I have even tried creating LEF in encase of the individual folders with the same result.

Even just trying to copy the files across starts and then slows to less that a snails pace with a 15Mb zip file taking over 4 hours (there are hundreds on the drive).

Has any body come across this that may have a suggestion that would get this drive imaged in less than my life time please.

1st option of course is the drive is useless but the owner swears it was working (it has a lot of his music and films on as well as other things) when seized.

Thanks in advance.

PS

The method of swearing at it and throwing it against the wall is already on the list of things to do. Laughing
_________________
Mark 
 
  

MoRRiS
Newbie
 

Re: Imaging USB drive

Post Posted: Oct 15, 08 20:43

Hi,
can the device be opened? maybe the power lead you bought does not provide enough power to the device. Or maybe the drive is failing.
Can you use a tool to read the SMART table to see if there are some parameters that look like the drive is about to fail ?  
 
  

mark777
Senior Member
 

Re: Imaging USB drive

Post Posted: Oct 16, 08 01:56

Thanks for that. I have actually had the drive out of the container and tried to image in DOS but alas no luck as yet. The more it goes the more i am leaning toward a failing drive.
_________________
Mark 
 
  

BitHead
Senior Member
 

Re: Imaging USB drive

Post Posted: Oct 16, 08 02:32

If you look at the drive (with the write blocker) in FTK Imager, WinHex, etc. do all the expected files appear?

I read that you were using Helix. Are you booting to Helix and mounting the drive or using the Windows application? I have found some occasions where booting to Linux allows access to drives that Windows (and even DOS) do not like to play with.

If I recall, there are also some goofy sync apps that came with that device. Perhaps using those tools would give access to the files.  
 
  

mark777
Senior Member
 

Re: Imaging USB drive

Post Posted: Oct 18, 08 00:18

This is the strangest thing.

I have tried helix (Windows and booting) both ways. Neither will image for more than 5 or 10 minutes.

Another strange thing is when plugged into a machine through a write blocker the drive pops up as normal and I can scroll through it, access all folders and view all files ( images, audio, video) OK. If however I try to create logical evidence files or image an individual folder it wont do it (freezes after a few seconds) or even if I just try to copy a file out onto my work machine it freezes)

Not even shouting and swearing at it works. Strange indeed.
_________________
Mark 
 
  

neddy
Senior Member
 

Re: Imaging USB drive

Post Posted: Oct 18, 08 04:09

Have you tried dcfldd with helix booted to console mode loaded into RAM?
I would suggest that you are looking at a disk with numerous bad sectors and FTK Imager will eventually image it but will record a shedload of errors. You also run the risk of damaging the disk further the more you access it. I may be wrong and members are free to correct me but the reason you can see the files via normal write blocked access may be due to the possibility that the disks $mft is intact but the sectors pointing to the files may not be in the best of shape. Hope you have some success.
_________________
Neddy
Forensic Computer Analyst (LE)
BSc (Hons)
!(-.-)!~~ 
 
  

gmarshall139
Senior Member
 

Re: Imaging USB drive

Post Posted: Oct 21, 08 16:42

The reason you are able to see the folder structure is that it is reading as far as the FAT or MFT. I think you are correct in that you have a failing drive. Your best bet is to try doing a dd image, it will ignore the errors and make the image as it is whereas Encase will try and re-read sectors reporting errors.
_________________
Greg Marshall, EnCE 
 

Page 1 of 2
Page 1, 2  Next