Difference between pages "SIM Cards" and "Ddrescue"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Added picture of SIM Card)
 
(linked to my blog containing some useful scripts/oneliners -- not sure if linking is allowed this way... else lmk!)
 
Line 1: Line 1:
__TOC__
+
{{Infobox_Software |
 +
  name = ddrescure |
 +
  maintainer = [[Antonio Diaz Diaz]]|
 +
  os = {{Linux}}|
 +
  genre = {{Disk imaging}} |
 +
  license = {{GPL}} |
 +
  website = [http://www.gnu.org/software/ddrescue/ddrescue.html http://www.gnu.org/software/ddrescue/ddrescue.html] |
 +
}}
  
[[Image:Simpic.jpg|frame|Picture of SIM Card]]
+
'''ddrescue''' is a raw disk imaging tool that "copies data from one file or block device to another, trying hard to rescue data in case of read errors."  The application is developed as part of the GNU project and has written with UNIX/Linux in mind.
== SIM-Subscriber Identity Module ==
+
  
The terms SIM, smart card, and UICC have an unfortunate tendency to be used interchangeably.  The UICC is hardware.  A SIM is a software application.  Generally speaking a smart card is a UICC running a SIM as well as possibly other applications.
+
'''ddrescue''' and '''[[dd_rescue]]''' are completely different programs which share no development between them.  The two projects are not related in any way except that they both attempt to enhance the standard [[dd]] tool and coincidentally chose similar names for their new programs.
  
SIM is actually just an application running on a smartcard. A given card could contain multiple SIM’s, allowing, for instance, a given phone to be used on multiple networks.
+
From the [[ddrescue]] info pages:
 +
<blockquote>
 +
GNU ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors.<br><br>
  
A typical SIM contains several categories of information.  One is the actual identity of the card itself.  The SIM needs to have a unique identity to the network. This allows the network to identify what sources the subscriber is entitled to, billing information, etc.  A second category relates to the actual operation of the device.  Information such as the last number called, or the length of the phone call can be stored.  A third category of information is personalized information.  Phonebooks or calendars fall into this category.
+
Ddrescue does not truncate the output file if not asked to. So, every time you run it on the same output file, it tries to fill in the gaps.<br><br>
  
A SIM has three major purposes
+
The basic operation of ddrescue is fully automatic. That is, you don't have to wait for an error, stop the program, read the log, run it in reverse mode, etc.<br><br>
* Uniquely identify the subscriber
+
* Determines phone number
+
* Contains algorithms for network authentification
+
  
A Sim contains
+
If you use the logfile feature of ddrescue, the data is rescued very efficiently (only the needed blocks are read). Also you can interrupt the rescue at any time and resume it later at the same point.<br><br>
* 16 to 64 KB of memory
+
* Processor
+
* Operating System
+
  
 +
Automatic merging of backups: If you have two or more damaged copies of a file, cdrom, etc, and run ddrescue on all of them, one at a time, with the same output file, you will probably obtain a complete and error-free file. This is so because the probability of having damaged areas at the same places on different input files is very low. Using
 +
the logfile, only the needed blocks are read from the second and successive copies.
 +
</blockquote>
  
== Uses of SIMs ==
+
== Installation ==
  
SIM cards can be used in any kind of device or situation where there is a need to authenticate the identity of a userThey are particularly useful when  there is a need or desire to provide different types or levels of service to many users who have different configurations.
+
=== Bootable CD ===
 +
ddrescue is available on bootable rescue cds such as SystemRescueCd http://www.sysresccd.org/Main_Page.
 +
=== Debian and Ubuntu ===
 +
The package 'ddrescue' in Debian and Ubuntu is actually [[dd_rescue]], another dd-like program which does not maintain a recovery logThe correct package is gddrescue.
  
The primary use of SIM cards in the United States is in cell phones.  There are other uses as well.  The US military issues smart cards as identification to its personnel.  These cards are used to allow users to log into computers. 
+
Debian
 +
<blockquote>
 +
aptitude install gddrescue
 +
</blockquote>
 +
Ubuntu
 +
<blockquote>
 +
sudo apt-get install gddrescue
 +
</blockquote>
 +
=== Gentoo ===
 +
<blockquote>
 +
emerge ddrescue
 +
</blockquote>
 +
== Partition recovery ==
  
Europe has seen a wider use of these cards. The credit and debit card industry has integrated this technology in their cards for years. Similarly, a number of European phone companies have used these as phone cards to use in public telephones. The card companies in the United States have evidently not seen enough fraud to have a business justification to switch to this technology. There is some speculation that American credit cards will use a future generation of the technology when the added robustness and security of the system will make more economic sense.
+
=== Kernel 2.6.3+ & ddrescue 1.4+ ===
 +
'ddrescue --direct' will open the input with the O_DIRECT option for uncached reads. 'raw devices' are not needed on newer kernels. For older kernels see below.
  
The SIM uses a hierarchically organized file system that stores names, phone numbers, received and sent text messages.  It also contains the network configuration information.  The SIM also allows for easy transporting of all information from one phone to another.  Forensically speaking, a SIM could be an incredible source of evidence.  It allows for all information that the suspect has dealt with over the phone to be investigated.  All phone numbers dialed, and receieved would be available for investigation.  Also, if no identifying information is on the phone the network provider could be contacted and could possibly provide more information that is even on the SIM. 
+
First you copy as much data as possible, without retrying or splitting sectors:
 +
<blockquote>
 +
ddrescue --no-split /dev/hda1 imagefile logfile
 +
</blockquote>
  
One downside to the use of SIM cards is the amount of thefts that occur.  A person could steal a SIM card and use it for their own personal calls, which would be still on the original owners information log.  This is becoming a problem in European countries with the theft of SIM cards.
+
Now let it retry previous errors 3 times, using uncached reads:
 +
<blockquote>
 +
ddrescue --direct --max-retries=3 /dev/hda1 imagefile logfile
 +
</blockquote>
  
== SIM Security ==
+
If that fails you can try again but retrimmed, so it tries to reread full sectors:
 +
<blockquote>
 +
ddrescue --direct --retrim  --max-retries=3 /dev/hda1 imagefile logfile
 +
</blockquote>
  
There are two things that help secure the information located on your SIM. The PIN (Personal Identification Number) and the PUK (Personal Unlocking Code).
+
You can now use ddrescue (or normal dd) to copy the imagefile to a new partition on a new disk. Use the appropriate filesystem checkers (fsck, CHKDSK) to try to fix errors caused by the bad blocks. Be sure to keep the imagefile around. Just in case the filesystem is severely broken, and datacarving tools like testdisk need to to be used on the original image.
  
When PIN protection is enabled, every time the phone is turned on - the PIN must be entered. The information on the SIM is locked until the correct code is entered. The PIN by default is at a standard default number and can be changed on the handset. If the PIN is entered incorrectly 3 times in a row the phone is locked and another code called the PUK is needed from the network provider.
+
=== Before linux kernel 2.6.3 / 2.4.x ===
 +
In 2.6.3 the 'raw device' has been marked obsolete. On later kernels ddrescue will use O_DIRECT on the input to do uncached reads.
  
If the PIN is incorrectly entered 3 times in a row, the phone is locked making the phone unable to make or receive any calls or SMS messages.  The PUK, which is an 8 digit code, is needed from the network provider to unlock the phone.  If the pin is entered 10 times incorrectly, the SIM is permanently disabled and the SIM must be exchanged.
+
First you copy as much data as possible, without retrying or splitting sectors:
 +
<blockquote>
 +
ddrescue --no-split /dev/hda1 imagefile logfile
 +
</blockquote>
  
==SIM Forensics==
+
Now change over to raw device access. Let it retry previous errors 3 times, don't read past last block in logfile:
 +
<blockquote>
 +
modprobe raw<br>
 +
raw /dev/raw/raw1 /dev/hda1<br>
 +
ddrescue --max-retries=3 --complete-only /dev/raw/raw1 imagefile logfile
 +
</blockquote>
 +
 
 +
If that fails you can try again (still using raw) but retrimmed, so it tries to reread full sectors:
 +
<blockquote>
 +
ddrescue --retrim --max-retries=3 --complete-only /dev/raw/raw1 imagefile logfile
 +
</blockquote>
 +
 
 +
You can now use ddrescue (or normal dd) to copy the imagefile to a new partition on a new disk. Use the appropriate filesystem checkers (fsck, CHKDSK) to try to fix errors caused by the bad blocks. Be sure to keep the imagefile around. Just in case the filesystem is severely broken, and datacarving tools like testdisk need to to be used on the original image.
 +
 
 +
At the end you may want to unbind the raw device:
 +
<blockquote>
 +
raw /dev/raw/raw1 0 0
 +
</blockquote>
 +
 
 +
== Examples ==
 +
 
 +
These two examples are taken directly from the [[ddrescue]] info pages.
 +
 
 +
Example 1: Rescue an ext2 partition in /dev/hda2 to /dev/hdb2
 +
 
 +
'''Please Note:''' This will overwrite ALL data on the partition you are copying to. If you do not want to do that, rather create an image of the partition to be rescued.
 +
<blockquote>
 +
ddrescue -r3 /dev/hda2 /dev/hdb2 logfile<br>
 +
e2fsck -v -f /dev/hdb2<br>
 +
mount -t ext2 -o ro /dev/hdb2 /mnt<br>
 +
</blockquote>
 +
 
 +
Example 2: Rescue a CD-ROM in /dev/cdrom
 +
<blockquote>
 +
ddrescue -b 2048 /dev/cdrom cdimage logfile
 +
</blockquote>
 +
write cdimage to a blank CD-ROM
 +
 
 +
 
 +
This example is derived from the ddrescue manual.
 +
 
 +
Example 3: Rescue an entire hard disk /dev/sda to another disk /dev/sdb
 +
 
 +
copy the error free areas first
 +
ddrescue -n /dev/sda /dev/sdb rescue.log
 +
attempt to recover any bad sectors
 +
ddrescue -r 1 /dev/sda /dev/sdb rescue.log
 +
 
 +
== Options ==
 +
 
 +
-h, --help
 +
    display this help and exit
 +
-V, --version
 +
    output version information and exit
 +
-b, --block-size=<bytes>
 +
    hardware block size of input device [512]
 +
-B, --binary-prefixes
 +
    show binary multipliers in numbers [default SI]
 +
-c, --cluster-size=<blocks>
 +
    hardware blocks to copy at a time [128]
 +
-C, --complete-only
 +
    do not read new data beyond logfile limits
 +
-d, --direct
 +
    use direct disc access for input file
 +
-D, --synchronous
 +
    use synchronous writes for output file
 +
-e, --max-errors=<n>
 +
    maximum number of error areas allowed
 +
-F, --fill=<types>
 +
    fill given type areas with infile data (?*/-+)
 +
-g, --generate-logfile
 +
    generate approximate logfile from partial copy
 +
-i, --input-position=<pos>
 +
    starting position in input file [0]
 +
-n, --no-split
 +
    do not try to split or retry error areas
 +
-o, --output-position=<pos>
 +
    starting position in output file [ipos]
 +
-q, --quiet
 +
    quiet operation
 +
-r, --max-retries=<n>
 +
    exit after given retries (-1=infinity) [0]
 +
-R, --retrim
 +
    mark all error areas as non-trimmed
 +
-s, --max-size=<bytes>
 +
    maximum size of data to be copied
 +
-S, --sparse
 +
    use sparse writes for output file
 +
-t, --truncate
 +
    truncate output file
 +
-v, --verbose
 +
    verbose operation
 +
 
 +
Numbers may be followed by a multiplier: b = blocks, k = kB = 10^3 = 1000, Ki = KiB = 2^10 = 1024, M = 10^6, Mi = 2^20, G = 10^9, Gi = 2^30, etc...
 +
 
 +
 
 +
== Cygwin ==
 +
 
 +
As of release 1.4-rc1, it can be compiled directly in [[Cygwin]] [http://en.wikipedia.org/wiki/Out_of_the_box Out of the Box]. Precompiled packages are available in the [http://cygwin.com/packages/ Cygwin distribution]. This makes it usable natively on [[Windows]] systems.
 +
 
 +
== See also ==
 +
 
 +
* [[aimage]]
 +
* [[Blackbag]]
 +
* [[dcfldd]]
 +
* [[dd]]
 +
* [[dd_rescue]]
 +
* [[sdd]]
 +
 
 +
== Other Resources ==
 +
[[http://pfuender.net/?p=80|Useful code-snippets for DDrescue]]

Revision as of 07:09, 25 June 2010

ddrescure
Maintainer: Antonio Diaz Diaz
OS: Linux
Genre: Disk imaging
License: GPL
Website: http://www.gnu.org/software/ddrescue/ddrescue.html

ddrescue is a raw disk imaging tool that "copies data from one file or block device to another, trying hard to rescue data in case of read errors." The application is developed as part of the GNU project and has written with UNIX/Linux in mind.

ddrescue and dd_rescue are completely different programs which share no development between them. The two projects are not related in any way except that they both attempt to enhance the standard dd tool and coincidentally chose similar names for their new programs.

From the ddrescue info pages:

GNU ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors.

Ddrescue does not truncate the output file if not asked to. So, every time you run it on the same output file, it tries to fill in the gaps.

The basic operation of ddrescue is fully automatic. That is, you don't have to wait for an error, stop the program, read the log, run it in reverse mode, etc.

If you use the logfile feature of ddrescue, the data is rescued very efficiently (only the needed blocks are read). Also you can interrupt the rescue at any time and resume it later at the same point.

Automatic merging of backups: If you have two or more damaged copies of a file, cdrom, etc, and run ddrescue on all of them, one at a time, with the same output file, you will probably obtain a complete and error-free file. This is so because the probability of having damaged areas at the same places on different input files is very low. Using the logfile, only the needed blocks are read from the second and successive copies.

Contents

Installation

Bootable CD

ddrescue is available on bootable rescue cds such as SystemRescueCd http://www.sysresccd.org/Main_Page.

Debian and Ubuntu

The package 'ddrescue' in Debian and Ubuntu is actually dd_rescue, another dd-like program which does not maintain a recovery log. The correct package is gddrescue.

Debian

aptitude install gddrescue

Ubuntu

sudo apt-get install gddrescue

Gentoo

emerge ddrescue

Partition recovery

Kernel 2.6.3+ & ddrescue 1.4+

'ddrescue --direct' will open the input with the O_DIRECT option for uncached reads. 'raw devices' are not needed on newer kernels. For older kernels see below.

First you copy as much data as possible, without retrying or splitting sectors:

ddrescue --no-split /dev/hda1 imagefile logfile

Now let it retry previous errors 3 times, using uncached reads:

ddrescue --direct --max-retries=3 /dev/hda1 imagefile logfile

If that fails you can try again but retrimmed, so it tries to reread full sectors:

ddrescue --direct --retrim --max-retries=3 /dev/hda1 imagefile logfile

You can now use ddrescue (or normal dd) to copy the imagefile to a new partition on a new disk. Use the appropriate filesystem checkers (fsck, CHKDSK) to try to fix errors caused by the bad blocks. Be sure to keep the imagefile around. Just in case the filesystem is severely broken, and datacarving tools like testdisk need to to be used on the original image.

Before linux kernel 2.6.3 / 2.4.x

In 2.6.3 the 'raw device' has been marked obsolete. On later kernels ddrescue will use O_DIRECT on the input to do uncached reads.

First you copy as much data as possible, without retrying or splitting sectors:

ddrescue --no-split /dev/hda1 imagefile logfile

Now change over to raw device access. Let it retry previous errors 3 times, don't read past last block in logfile:

modprobe raw
raw /dev/raw/raw1 /dev/hda1
ddrescue --max-retries=3 --complete-only /dev/raw/raw1 imagefile logfile

If that fails you can try again (still using raw) but retrimmed, so it tries to reread full sectors:

ddrescue --retrim --max-retries=3 --complete-only /dev/raw/raw1 imagefile logfile

You can now use ddrescue (or normal dd) to copy the imagefile to a new partition on a new disk. Use the appropriate filesystem checkers (fsck, CHKDSK) to try to fix errors caused by the bad blocks. Be sure to keep the imagefile around. Just in case the filesystem is severely broken, and datacarving tools like testdisk need to to be used on the original image.

At the end you may want to unbind the raw device:

raw /dev/raw/raw1 0 0

Examples

These two examples are taken directly from the ddrescue info pages.

Example 1: Rescue an ext2 partition in /dev/hda2 to /dev/hdb2

Please Note: This will overwrite ALL data on the partition you are copying to. If you do not want to do that, rather create an image of the partition to be rescued.

ddrescue -r3 /dev/hda2 /dev/hdb2 logfile
e2fsck -v -f /dev/hdb2
mount -t ext2 -o ro /dev/hdb2 /mnt

Example 2: Rescue a CD-ROM in /dev/cdrom

ddrescue -b 2048 /dev/cdrom cdimage logfile

write cdimage to a blank CD-ROM


This example is derived from the ddrescue manual.

Example 3: Rescue an entire hard disk /dev/sda to another disk /dev/sdb

copy the error free areas first

ddrescue -n /dev/sda /dev/sdb rescue.log

attempt to recover any bad sectors

ddrescue -r 1 /dev/sda /dev/sdb rescue.log

Options

-h, --help
   display this help and exit 
-V, --version
   output version information and exit 
-b, --block-size=<bytes>
   hardware block size of input device [512] 
-B, --binary-prefixes
   show binary multipliers in numbers [default SI] 
-c, --cluster-size=<blocks>
   hardware blocks to copy at a time [128] 
-C, --complete-only
   do not read new data beyond logfile limits 
-d, --direct
   use direct disc access for input file 
-D, --synchronous
   use synchronous writes for output file 
-e, --max-errors=<n>
   maximum number of error areas allowed 
-F, --fill=<types>
   fill given type areas with infile data (?*/-+) 
-g, --generate-logfile
   generate approximate logfile from partial copy 
-i, --input-position=<pos>
   starting position in input file [0] 
-n, --no-split
   do not try to split or retry error areas 
-o, --output-position=<pos>
   starting position in output file [ipos] 
-q, --quiet
   quiet operation 
-r, --max-retries=<n>
   exit after given retries (-1=infinity) [0] 
-R, --retrim
   mark all error areas as non-trimmed 
-s, --max-size=<bytes>
   maximum size of data to be copied 
-S, --sparse
   use sparse writes for output file 
-t, --truncate
   truncate output file 
-v, --verbose
   verbose operation

Numbers may be followed by a multiplier: b = blocks, k = kB = 10^3 = 1000, Ki = KiB = 2^10 = 1024, M = 10^6, Mi = 2^20, G = 10^9, Gi = 2^30, etc...


Cygwin

As of release 1.4-rc1, it can be compiled directly in Cygwin Out of the Box. Precompiled packages are available in the Cygwin distribution. This makes it usable natively on Windows systems.

See also

Other Resources

[code-snippets for DDrescue]