Creating Forensic Copies and Backups of Any Media

Using almost any flavor of GNU Linux it’s possible to make forensic quality bit-copies of hard drives and almost any other type of media, such as USB flash drives or memory cards. This procedure is useful for law enforcement preserving data for analysis, and for making high quality, personal backups of your own media. Best of all, this example uses completely free software and is very easy to do once you get the hang of it.

In the following example, I’m making a forensic copy of my office desktop PC’s main hard drive to a USB hard drive before I attempt to clean up a recent malware infection. By taking an exact copy of the disk in a working condition, I can start over as many times as needed until it is clean of the infection.

Note: Make sure the network connection is unplugged as soon as you notice any strange activity on your PC indicating virii/malware infection. This is the ONLY way to ensure your private data isn’t leaked out to bad guys.

First, download and burn a recent copy of the Knoppix live boot CD. Knoppix is a complete Linux boot CD with the necessary Kernel modules to boot most hardware, read/write NTFS, and works very well with most types of removable media.

Download Link

Determining the device IDs of the source and destination disk

With the external storage disconnected, boot the Knoppix disk and select ‘Shell’ from the main menu.

First we need to determine what device ID is assigned to your primary disk. In this example we’re looking for a standard ATA (IDE) disk. If you had a SCSI disk you would grep SCSI instead of ATA. Type the following:

dmesg | grep ATA

The output:

hda: WDC WD400BB-53AUA1, ATA DISK drive
hdc: CRD-8482B, ATAPI CD/DVD-ROM drive
hdd: WDC WD400BB-32DEA0, ATA DISK drive

In this case, ‘hda’ is the disk we’re backing up. Write this down.

Now, plug in a USB hard drive and wait about 15-20 seconds for Linux to detect and assign it a device ID. Type the following:

dmesg | grep SCSI

In this case, ‘/dev/sdb1’ is the primary partition of the USB disk we’re storing the backup on. Write this down.

Mount the external disk:

mkdir usbhdd
mount /dev/sdb1 usbhdd

Note: To unmount the USB disk cleanly, use ‘umount usbhdd’. Not now though!

Create a backup image

This process can take quite a long time depending on the size of the source disk and the speed of your disks. A 250Gb HDD typically takes 4-5 hours using this method. We’re going to use the ‘dd’ command to create the backup copy of the disk. The noerror and sync options mean that dd will continue in the event a bad block is discovered and keep the backup image in sync by writing zeros where the unreadable data occurs. These options are critical in creating an exact image.

dd if=/dev/hda of=usbhdd/backup.img conv=noerror,sync bs=64K

There will be no progress indication while creating the image, so you’ll just have to be patient. If you really want to see what’s going on, you can open a new shell by pressing Ctl-Alt-F2 and issuing the ‘vmstat 1’ command to monitor IO activity or monitor the dd process for status. Press Ctl-Alt-F1 to return to the primary shell. When done, verify the backup image by comparing the geometry of the physical HDD and the backup image using fdisk. The output of the following two commands should be identical:

fdisk -l usbhdd/backup.img
fdisk -l /dev/hda

Restoring the backup

Use dd again to restore your backup to the physical disk — take note that that ‘if’ and ‘of’ (input and output) are simply reversed:

dd if=usbhdd/backup.img of=/dev/hda conv=noerror,sync bs=64k

Browsing the backup

For browsing the backup image from a Windows machine, I recommend WinImage. It allows you to open the image and browse files using an interface similar to Windows Explorer. For browsing the image under Linux, you can simply mount it using the ‘-o loop -r’ options. Make sure to always mount it read-only using the ‘-r’ switch so no changes are made to the image by accident.

WinImage is available Here. I recommend anyone involved in IT have this app in their toolkit.

Comments are closed.