Difference between pages "Ddrescue" and "Research Topics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Partition recovery)
 
m (Hard Problems)
 
Line 1: Line 1:
{{Infobox_Software |
+
; Research Ideas
  name = ddrescure |
+
  maintainer = [[Antonio Diaz Diaz]]|
+
  os = {{Linux}}|
+
  genre = {{Disk imaging}} |
+
  license = {{GPL}} |
+
  website = [http://www.gnu.org/software/ddrescue/ddrescue.html ddrescue.html] |
+
}}
+
  
'''ddrescue''' is a raw disk imaging tool that "copies data from one file or block device to another, trying hard to rescue data in case of read errors."  The application is developed as part of the GNU project and has written with UNIX/Linux in mind.
+
Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is my list. Please feel free to add your own ideas.  
  
'''ddrescue''' and '''[[dd_rescue]]''' are completely different programs which share no development between them.  The two projects are not related in any way except that they both attempt to enhance the standard [[dd]] tool and coincidentally chose similar names for their new programs.
 
  
From the [[ddrescue]] info pages:
+
=Hard Problems=
<blockquote>
+
* Stream Based Disk Forensics. Process the entire disk with one pass, or at most two, to minimize seek time. 
GNU ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors.<br><br>
+
* Determine the device that created an image or video without metadata. (fingerprinting digital cameras)
 +
* Automatically detect falsified digital evidence.
 +
* Use the location of where data resides on a computer as a way of inferring information about the computer's past.
 +
* Detect and diagnose sanitization attempts.
  
Ddrescue does not truncate the output file if not asked to. So, every time you run it on the same output file, it tries to fill in the gaps.<br><br>
+
=Tool Development=
 +
==[[AFF]] Enhancement==
 +
* Evaluation of the AFF data page size. What is the optimal page size for compressed forensic work?
 +
* Replacement of the AFF "BADFLAG" approach for indicating bad data with a bitmap.
 +
* Modify aimage so that it can take a partial disk image and a disk and just image what's missing.
 +
* Improve the data recovery features of aimage.
 +
* Replace AFF's current table-of-contents system with one based on B+ Trees.
  
The basic operation of ddrescue is fully automatic. That is, you don't have to wait for an error, stop the program, read the log, run it in reverse mode, etc.<br><br>
+
==Decoders and Validators==
 +
* A JPEG decompresser that supports restarts and checkpointing for use in high-speed carving. It would also be useful it the JPEG decompressor didn't actually decompress --- all it needs to do is to verify the huffman table.
  
If you use the logfile feature of ddrescue, the data is rescued very efficiently (only the needed blocks are read). Also you can interrupt the rescue at any time and resume it later at the same point.<br><br>
+
==Cell Phones==
 +
Open source tools for:
 +
* Imaging the contents of a cell phone memory
 +
* Reassembling information in a cell phone memory
  
Automatic merging of backups: If you have two or more damaged copies of a file, cdrom, etc, and run ddrescue on all of them, one at a time, with the same output file, you will probably obtain a complete and error-free file. This is so because the probability of having damaged areas at the same places on different input files is very low. Using
 
the logfile, only the needed blocks are read from the second and successive copies.
 
</blockquote>
 
  
== Installation ==
 
=== Debian ===
 
The package 'ddrescue' actually is [[dd_rescue]], another dd-like program which does not maintain a recovery log.
 
<blockquote>
 
aptitude install gddrescue
 
</blockquote>
 
  
== Partition recovery ==
+
=Corpora Development=
 
+
==Realistic Corpora==
First you copy as much data as possible, without retrying or splitting sectors:
+
* Simulated disk imags
<blockquote>
+
* Simulated network traffic
ddrescue --no-split /dev/hda1 imagefile logfile
+
==Real Data==
</blockquote>
+
* Digital Cameras
 
+
* Cell phones
Now change over to raw device access. Let it retry previous errors 3 times, don't read past last block in logfile:
+
* USB Memory Sticks ''below'' the logical layer.
<blockquote>
+
modprobe raw<br>
+
raw /dev/raw/raw1 /dev/hda1<br>
+
ddrescue --max-retries=3 --complete-only /dev/raw/raw1 imagefile logfile
+
</blockquote>
+
 
+
If that fails you can try again (still using raw) but retrimmed, so it tries to reread full sectors:
+
<blockquote>
+
ddrescue --retrim --max-retries=3 --complete-only /dev/raw/raw1 imagefile logfile
+
</blockquote>
+
 
+
You can now use ddrescue (or normal dd) to copy the imagefile to a new partition on a new disk. Use the appropriate filesystem checkers (fsck, CHKDSK) to try to fix errors caused by the bad blocks. Be sure to keep the imagefile around. Just in case the filesystem is severely broken, and datacarving tools like testdisk need to to be used on the original image.
+
 
+
At the end you may want to unbind the raw device:
+
<blockquote>
+
raw /dev/raw/raw1 0 0
+
</blockquote>
+
 
+
== Examples ==
+
 
+
These two examples are taken directly from the [[ddrescue]] info pages.
+
 
+
Example 1: Rescue an ext2 partition in /dev/hda2 to /dev/hdb2
+
<blockquote>
+
ddrescue -r3 /dev/hda2 /dev/hdb2 logfile<br>
+
e2fsck -v -f /dev/hdb2<br>
+
mount -t ext2 -o ro /dev/hdb2 /mnt<br>
+
</blockquote>
+
 
+
Example 2: Rescue a CD-ROM in /dev/cdrom
+
<blockquote>
+
ddrescue -b 2048 /dev/cdrom cdimage logfile
+
</blockquote>
+
write cdimage to a blank CD-ROM
+
 
+
== Cygwin ==
+
 
+
As of release 1.4-rc1, it can be compiled directly in [[Cygwin]] [http://en.wikipedia.org/wiki/Out_of_the_box Out of the Box]. Precompiled packages are available in the [http://cygwin.com/packages/ Cygwin distribution]. This makes it usable natively on [[Windows]] systems.
+
 
+
== See also ==
+
 
+
* [[aimage]]
+
* [[Blackbag]]
+
* [[dcfldd]]
+
* [[dd]]
+
* [[dd_rescue]]
+
* [[sdd]]
+

Revision as of 23:24, 2 November 2008

Research Ideas

Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is my list. Please feel free to add your own ideas.


Hard Problems

  • Stream Based Disk Forensics. Process the entire disk with one pass, or at most two, to minimize seek time.
  • Determine the device that created an image or video without metadata. (fingerprinting digital cameras)
  • Automatically detect falsified digital evidence.
  • Use the location of where data resides on a computer as a way of inferring information about the computer's past.
  • Detect and diagnose sanitization attempts.

Tool Development

AFF Enhancement

  • Evaluation of the AFF data page size. What is the optimal page size for compressed forensic work?
  • Replacement of the AFF "BADFLAG" approach for indicating bad data with a bitmap.
  • Modify aimage so that it can take a partial disk image and a disk and just image what's missing.
  • Improve the data recovery features of aimage.
  • Replace AFF's current table-of-contents system with one based on B+ Trees.

Decoders and Validators

  • A JPEG decompresser that supports restarts and checkpointing for use in high-speed carving. It would also be useful it the JPEG decompressor didn't actually decompress --- all it needs to do is to verify the huffman table.

Cell Phones

Open source tools for:

  • Imaging the contents of a cell phone memory
  • Reassembling information in a cell phone memory


Corpora Development

Realistic Corpora

  • Simulated disk imags
  • Simulated network traffic

Real Data

  • Digital Cameras
  • Cell phones
  • USB Memory Sticks below the logical layer.