Skip navigation

Really digging Backblaze now.  Only $5/mo, and it backs up *all drives* on a system (including the USB drives, not just the main system drive).

Much much better than Moxy or Carbonite, which I used to use on different computers…

Now on PortableApps — SIW is an advanced System Information for Windows tool that gathers detailed information about your system properties and settings and displays it in an extremely comprehensible manner.

 

WiseData now has a version for Portable Apps

Wise Data Recovery is a data and file recovery utility allowing you to recover files and folders that have been deleted. Like many system utilities, this requires admin privileges to run.

Wise Data Recovery is a file and data recovery utility allowing you to recover files and folders that have been deleted and marked as free space. It works on local hard drives, removable flash drives, memory cards and other drives on your system. After scanning your drive, the interface will list the files that can be recovered and the likelihood of being able to recover the entire file.

 

Pipeviewer (pv) shows the progress of a dd session

# dd if=massive_image.iso | pv | dd of=/dev/sde

pv shows the output:

2.47GB 0:16:54 [3.19MB/s]

examples:

  • http://www.freebsdwiki.net/index.php/Pv

We’ve all been there!

mistakes_were_made

Ever need to quickly show someone something but you don’t want to deal with logging in an important box?

InstantServer.io creates a server on-the-fly for 35 minutes. Perfect for quick sessions with friends, particularly when coupled with something like screen

From their website:

What is this?

Click the button to get a virtual private server.

Specs?

Ubuntu 13.04, 64-bit, 614 MiB of RAM, 8 GiB storage. It’s an ec2 micro instance.

What’s the catch?

The server gets destroyed after 35 minutes. You can pay to keep it longer.

When would I use this?

Among other reasons, perhaps:

  • You need another computer to test something quickly
  • You need to install and use a utility for one thing, and don’t want to clutter your own environment
  • You need a vanilla environment to get something to build and run properly
  • You need linux but accidentally used windows

Why shouldn’t I just spin up an ec2/rackspace/linode instance?

They all make it slower and more difficult than it should be.

xxcopy is a flexible command tool for moving files between Windows directories.  Perhaps its most powerful feature are the switches with predefined work flows (e.g. flatting all the files in sub directories into one).

Personally, I use it when consolidating sub directories.  e.g. when Photorec recovers files into folder.01, folder.02, folder.03, etc, you can use it to scan all the folders and then put in one folder.

e.g.


xxcopy d:\folder*.jpg e:\cosolidated /yy /sx

Ever reinstall Windows, only to realize that you don’t have a nice list of hardware?

SIW.exe prints out a nice list of what’s inside, which helps narrow down the driver software.

(If you don’t mind dubious Facebook hooks, SlimDrivers actually automatically downloads the drivers from the Internet.)

System Information for Windows

SIW is an advanced System Information for Windows tool that analyzes your computer and gathers detailed information about system properties and settings and displays it in an extremely comprehensible manner.

SIW can create a report file (CSV, HTML, TXT or XML), and is able to run in batch mode (for PC Software and Hardware Inventory, Asset Inventory, Software License Management, Security Audit, Server Configuration Management).

The System Information is divided into few major categories:

  • Software Information: Operating System, Software Licenses (Product Keys / Serial Numbers / CD Key), Installed Software and Hotfixes, Processes, Services, Users, Open Files, System Uptime, Installed Codecs, Passwords Recovery, Server Configuration.
  • Hardware Information: Motherboard, CPU, Sensors, BIOS, chipset, PCI/AGP, USB and ISA/PnP Devices, Memory, Video Card, Monitor, Disk Drives, CD/DVD Devices, SCSI Devices, S.M.A.R.T., Ports, Printers.
  • Network Information: Network Cards, Network Shares, currently active Network Connections, Open Ports.
  • Network Tools: MAC Address Changer, Neighborhood Scan, Ping, Trace, Statistics, Broadband Speed Test
  • Miscellaneous Tools: Eureka! (Reveal lost passwords hidden behind asterisks), Monitor Test, Shutdown / Restart.
  • Real-time monitors: CPU, Memory, Page File usage and Network Traffic.

A list of more free ones can be found here.

 

 

Here’s a great tutorial for beginners learning how to disk image:

 

Forensics – Disk Imaging

 

For one reason or another you may want to make a copy of a hard disk. I will describe methods to create a bit-for-bit copy of a hard disk either to a local device or over a network.

The thing to remember throughout the examples listed below is Linux thinks of everything as a file. So the file it sees as hda in the /dev directory is actually the harddisk.

The following software will be used in the examples listed below.

  • A bootable live linux distro that does not auto mount drives such as Helix
  • dd
  • nc
  • split
  • md5sum
  • cat

dd, nc, md5sum, cat and split are available on Linux and Windows.

Regarding hardware you will require the following.

  • 2 x Computers (if creating a copy across a network)
  • USB thumb drive
  • USB hard drive (If creating the image to a USB hard drive)

 

Example 1 – A Copy Across A Network

To make a copy across a network you will need 2 computers, the target computer, Computer01, and the computer you will be copying to, Computer02.

  1. Insert the Linux boot disk into Computer01 and boot the system into Linux.
  1. Insert the USB thumb drive, if this doesn’t automatically mount it will require mounting. In my examples below I will assume it is /dev/sdb1 and has been mounted as /media/USB.
  1. Locate the disk you want to copy in the /dev directory, in my examples the hard disk will be called hda yours maybe something similar.
  1. Using the command md5sum /dev/hda >/mount/USB/diskimage_md5hash.txt create a MD5 hash of the drive on the mounted USB drive so you can test this against the copied file to verify the integrity.
  1. On Computer02 make sure you have enough diskspace to accommodate a file the size of the disk you are going to copy and using netcat (nc) run the command

nc –L –p 6677 >c:\diskimage.img

What you have done here is to set up netcat (nc) to listen persistently (-L) on port 6677 (-p 6677) and send the output to a file on C:\ of Computer02 (>c:\diskimage.img).

  1. From Computer01 run the following command:

dd if=/dev/hda | nc 192.168.1.2 6677

This command assumes that the IP address of Computer02 is 192.168.1.2. By running this command you will be copying the input file /dev/hda (if=/dev/hda) from Computer01 to C:\diskimage.img on Computer02 using netcat (nc).

  1. Finally, after the copy has finished you can run md5sum on Computer02 against the C:\diskimage.img file on Computer02 and compare this to the md5sum taken earlier to verify the copies are identical.

 

Example 2 – A Local Copy to a USB Storage Device

In this example you will need only the Target PC and a USB storage device large enough to hold the image.

  1. Insert the Linux boot disk into the computer and boot the system into Linux.
  2. Connect the USB storage device, if this doesn’t automatically mount it will require mounting. In my examples below I will assume it is /dev/sdb1 and has been mounted as /media/USB.
  1. Locate the disk you want to copy in the /dev directory, in my examples the hard disk will be called hda yours maybe something similar.
  1. Using the command md5sum /dev/hda >/mount/USB/diskimage_md5hash.txt create a MD5 hash of the drive on the mounted USB device so you can test this against the copied file to verify the integrity.
  1. Run the following command:

dd if=/dev/hda of=/media/usb/diskimage.img

This will copy the disk as a file onto the USB storage device as diskimage.img.

  1. Create another md5 hash of the image on the storage device and compare to the original to verify the integrity of the copy.

 

The result of both of the examples above is a forensically sound image of the hard disk.

Advanced Usage of dd for Imaging

Whilst using the methods above you may come across issues. For example, if the PC cannot read some of the sectors of the drive you are copying, or if the file needs splitting to fit onto CD’s. Or if the image needs slitting to fit on a device that is FAT32 and requires files to be smaller than 2GB.

 

Copying an image from a disk with bad sectors

When imaging a drive that is starting to have some bad sectors the command below can be used.

dd if=/dev/hda of=/media/USB conv=noerror,sync

This will allow dd to proceed past read errors, and pad the destination with 0’s where there were errors on the source drive (so your size and offsets will match). If you do this, you may want to consider redirecting standard-error out to a file, so you have a record of where your errors were.

Splitting images

This can be done using a couple of different methods.

The easiest method is by using the split program. The syntax for the command if you required a 4GB image to fit on CD’s would be:

dd if=/dev/hda | split –b 620m – /USB/sda/

This will run the input file (/dev/hda) through split and create several files of 620MB (-b 620m) in the directory /USB/sda/. The files will usually be called x** (* denotes a wildcard in this example)

These files can be reformed into an image file using the cat command.

Cat x* > bigimage.img

Then create a hash of the file using md5sum and compare to the original hash value.

Md5sum bigimage.img

Alternatively, if split is not available you can use dd by itself but use the skip, bs (block size) and count switches to prevent it from reading from the beginning of the file.

dd if=dev/hda of=/media/USB/image1.img bs=1M count=620

dd if=dev/hda of=/media/USB/image2.img bs=1M count=620 skip= 621

dd if=dev/hda of=/media/USB/image3.img bs=1M count=620 skip= 1241

dd if=dev/hda of=/media/USB/image4.img bs=1M count=620 skip= 1861

dd if=dev/hda of=/media/USB/image5.img bs=1M count=620 skip= 2481

etc………until the end of the input file.

 

What is happening here is you are telling dd to work in 1MB blocks (bs=1M), to only copy 620MB at a time (count=620) and in some cases to skip to a particular part of the input file (skip=621 etc…) thus creating several images that can then be copied to CD’s. Once on the target system and in the same directory (I will assume directory is /home/me) they can be put back together into a single image using the command below.

Cat /home/me/image* > bigimage.img

Md5sum can be run against this image and compared to the original md5 hash to verify the integrity.

Dd To a Zipped Image

You can pipe dd through gzip to save on some disk space.

dd if=/dev/hda | gzip -f > /media/USB/compressed_image.img.gz

 

Using Split & Gzip Together

To help cope with size limits both gzip and split can be used together. This has the benefit of splitting the image and zipping it up also to save space and requires less work. Below is the syntax used to perform this and an explanation of the command.

dd if=/dev/hda | gzip –c | split -b 2000m – /media/USB/image.img.gz.

  1. dd is used to take an image of the harddrive.
  2. This is passed to gzip (-c is to stdout)
  3. The compressed image is then piped to the split tool (split then creates the files image.img.gzaa, image.img.gzab, etc )

To restore the multi-file backup, run the command below:

cat /USB/image.img.gz* | gzip -dc | dd of=/dev/hda

  1. Cat displays the contents of the zipped and split image files to stdout in order.
  2. Results are piped through gzip and decompressed.
  3. And are then written to the hard drive with dd.

Creating empty disk images

To create an empty disk image, get the data from /dev/zero. To create a 10MB image or file:

dd if=/dev/zero of=image bs=1M count=1024

Or

dd of=image bs=1M count=0 seek=1024

In the second example nothing is written, not even zeroes, we just seek 10MB into the file and close it. The result is a sparse file that is implicitly full of 10MB of zeroes, but that takes no disk space. ls -la will show 10MB, both du and df will show 0. When the file is written to, Linux will allocate disk space for the data. ls will continue to show 10MB, but du will gradually approach 10MB.

Notes:

Whilst researching the use of dd another tool was brought to my attention which is called dcfldd. This tool is like dd in many ways and uses similar syntax but is also able to produce hashes on the fly and can provide status of copying files amongst other useful features. It’s available on both Linux and Windows.