Difference between pages "Ddrescue" and "Determining OS version from an evidence image"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Added a warning line to the examples section clarifying something that caused me to overwrite an entire disk by accident and lose a lot of data in the process.)
 
m (info about MPC)
 
Line 1: Line 1:
{{Infobox_Software |
+
One of the first steps an examiners will need to carry out once they have an evidence image is to log system metadata, including OS version and patch level. This may be of particular importance if the image in question is from a machine that is suspected of having been compromised.
  name = ddrescure |
+
  maintainer = [[Antonio Diaz Diaz]]|
+
  os = {{Linux}}|
+
  genre = {{Disk imaging}} |
+
  license = {{GPL}} |
+
  website = [http://www.gnu.org/software/ddrescue/ddrescue.html http://www.gnu.org/software/ddrescue/ddrescue.html] |
+
}}
+
  
'''ddrescue''' is a raw disk imaging tool that "copies data from one file or block device to another, trying hard to rescue data in case of read errors."  The application is developed as part of the GNU project and has written with UNIX/Linux in mind.
+
==Windows==
  
'''ddrescue''' and '''[[dd_rescue]]''' are completely different programs which share no development between them.  The two projects are not related in any way except that they both attempt to enhance the standard [[dd]] tool and coincidentally chose similar names for their new programs.
+
===Windows 95/98/ME===
  
From the [[ddrescue]] info pages:
+
===Windows NT===
<blockquote>
+
GNU ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors.<br><br>
+
  
Ddrescue does not truncate the output file if not asked to. So, every time you run it on the same output file, it tries to fill in the gaps.<br><br>
+
===Windows 2000/2003/XP/Vista===
 +
Information about a running system can be displayed using the command `ver` (and `systeminfo` on some systems).
  
The basic operation of ddrescue is fully automatic. That is, you don't have to wait for an error, stop the program, read the log, run it in reverse mode, etc.<br><br>
+
During a forensic examination, information regarding the version of Windows can be found in a number of places. For example, by default, the Windows directory on Windows XP is "C:\Windows", where on Windows NT and 2000, it was "C:\Winnt".  This is not definitive, however, because this directory name is easily modified during installation.
  
If you use the logfile feature of ddrescue, the data is rescued very efficiently (only the needed blocks are read). Also you can interrupt the rescue at any time and resume it later at the same point.<br><br>
+
Determining the version of Windows from the Software Registry Hive file - navigate to the ''Microsoft\Windows NT\CurrentVersion'' key, and examine the values beneath the key; specifically, values such as ProductName, CSDVersion, ProductId (if available), BuildLab, and on Vista, BuildLabEx.
  
Automatic merging of backups: If you have two or more damaged copies of a file, cdrom, etc, and run ddrescue on all of them, one at a time, with the same output file, you will probably obtain a complete and error-free file. This is so because the probability of having damaged areas at the same places on different input files is very low. Using
+
Determining the version of Windows from file version information - locate the file %WinDir%\system32\ntoskrnl.exe and review the file version information/strings from the resource section of the PE file.  You can view this information with a hex editor, or extract it using a variety of means. There is a Perl module (Win32::File::VersionInfo) that will allow you to extract this information, and the Perl script [http://sourceforge.net/project/showfiles.php?group_id=164158&package_id=203967 kern.pl] illustrates a platform independent means of examining the PE header and ultimately locating the file version information.
the logfile, only the needed blocks are read from the second and successive copies.
+
</blockquote>
+
  
== Installation ==
+
In order to determine the difference between Windows XP Professional and Home versions, look for the %WinDir%\system32\prodspec.ini file; it contains information regarding the Product type (either XP Pro or Home). Another way to do this is to look at Microsoft Product Code (first 5 digits of ''Product ID''). Some of these values:
  
=== Bootable CD ===
+
{| class="wikitable" border="1"
ddrescue is available on bootable rescue cds such as SystemRescueCd http://www.sysresccd.org/Main_Page.
+
|-
=== Debian and Ubuntu ===
+
!Value (MPC)!!Version
The package 'ddrescue' in Debian and Ubuntu is actually [[dd_rescue]], another dd-like program which does not maintain a recovery log.  The correct package is gddrescue.
+
|-
 +
|55034 || Windows XP Professional English
 +
|-
 +
|55683 || Windows XP Professional Russian
 +
|-
 +
|55681 || Windows XP Home Edition Russian
 +
|}
  
Debian
+
==Unix/Linux==
<blockquote>
+
Information about a running system, including the kernel version, can be displayed using the command `uname -a`. However, this is not much good if you performing dead analysis on a disk image.
aptitude install gddrescue
+
</blockquote>
+
Ubuntu
+
<blockquote>
+
sudo apt-get install gddrescue
+
</blockquote>
+
=== Gentoo ===
+
<blockquote>
+
emerge ddrescue
+
</blockquote>
+
== Partition recovery ==
+
  
=== Kernel 2.6.3+ & ddrescue 1.4+ ===
+
===Linux===
'ddrescue --direct' will open the input with the O_DIRECT option for uncached reads. 'raw devices' are not needed on newer kernels. For older kernels see below.
+
A number of Linux distributions create a file in ''/etc'' to identify the release or version installed.
  
First you copy as much data as possible, without retrying or splitting sectors:
+
{| class="wikitable" border="1"
<blockquote>
+
|-
ddrescue --no-split /dev/hda1 imagefile logfile
+
!Distro!!Tag
</blockquote>
+
|-
 +
|Red Hat || /etc/redhat-release
 +
|-
 +
|Debian  || /etc/debian-version
 +
|}
  
Now let it retry previous errors 3 times, using uncached reads:
+
===Solaris===
<blockquote>
+
ddrescue --direct --max-retries=3 /dev/hda1 imagefile logfile
+
</blockquote>
+
  
If that fails you can try again but retrimmed, so it tries to reread full sectors:
+
===Free/Net/OpenBSD===
<blockquote>
+
ddrescue --direct --retrim  --max-retries=3 /dev/hda1 imagefile logfile
+
</blockquote>
+
  
You can now use ddrescue (or normal dd) to copy the imagefile to a new partition on a new disk. Use the appropriate filesystem checkers (fsck, CHKDSK) to try to fix errors caused by the bad blocks. Be sure to keep the imagefile around. Just in case the filesystem is severely broken, and datacarving tools like testdisk need to to be used on the original image.
+
===AIX===
  
=== Before linux kernel 2.6.3 / 2.4.x ===
+
===HP/UX===
In 2.6.3 the 'raw device' has been marked obsolete. On later kernels ddrescue will use O_DIRECT on the input to do uncached reads.
+
  
First you copy as much data as possible, without retrying or splitting sectors:
+
[[Category:Howtos]]
<blockquote>
+
ddrescue --no-split /dev/hda1 imagefile logfile
+
</blockquote>
+
 
+
Now change over to raw device access. Let it retry previous errors 3 times, don't read past last block in logfile:
+
<blockquote>
+
modprobe raw<br>
+
raw /dev/raw/raw1 /dev/hda1<br>
+
ddrescue --max-retries=3 --complete-only /dev/raw/raw1 imagefile logfile
+
</blockquote>
+
 
+
If that fails you can try again (still using raw) but retrimmed, so it tries to reread full sectors:
+
<blockquote>
+
ddrescue --retrim --max-retries=3 --complete-only /dev/raw/raw1 imagefile logfile
+
</blockquote>
+
 
+
You can now use ddrescue (or normal dd) to copy the imagefile to a new partition on a new disk. Use the appropriate filesystem checkers (fsck, CHKDSK) to try to fix errors caused by the bad blocks. Be sure to keep the imagefile around. Just in case the filesystem is severely broken, and datacarving tools like testdisk need to to be used on the original image.
+
 
+
At the end you may want to unbind the raw device:
+
<blockquote>
+
raw /dev/raw/raw1 0 0
+
</blockquote>
+
 
+
== Examples ==
+
 
+
These two examples are taken directly from the [[ddrescue]] info pages.
+
 
+
Example 1: Rescue an ext2 partition in /dev/hda2 to /dev/hdb2
+
 
+
'''Please Note: This will overwrite ALL data on the drive you are copying to. If you do not want to do that, rather create an image of the disk to be rescued.'''
+
<blockquote>
+
ddrescue -r3 /dev/hda2 /dev/hdb2 logfile<br>
+
e2fsck -v -f /dev/hdb2<br>
+
mount -t ext2 -o ro /dev/hdb2 /mnt<br>
+
</blockquote>
+
 
+
Example 2: Rescue a CD-ROM in /dev/cdrom
+
<blockquote>
+
ddrescue -b 2048 /dev/cdrom cdimage logfile
+
</blockquote>
+
write cdimage to a blank CD-ROM
+
 
+
 
+
This example is derived from the ddrescue manual.
+
 
+
Example 3: Rescue an entire hard disk /dev/sda to another disk /dev/sdb
+
 
+
copy the error free areas first
+
ddrescue -n /dev/sda /dev/sdb rescue.log
+
attempt to recover any bad sectors
+
ddrescue -r 1 /dev/sda /dev/sdb rescue.log
+
 
+
 
+
== Options ==
+
 
+
-h, --help
+
    display this help and exit
+
-V, --version
+
    output version information and exit
+
-b, --block-size=<bytes>
+
    hardware block size of input device [512]
+
-B, --binary-prefixes
+
    show binary multipliers in numbers [default SI]
+
-c, --cluster-size=<blocks>
+
    hardware blocks to copy at a time [128]
+
-C, --complete-only
+
    do not read new data beyond logfile limits
+
-d, --direct
+
    use direct disc access for input file
+
-D, --synchronous
+
    use synchronous writes for output file
+
-e, --max-errors=<n>
+
    maximum number of error areas allowed
+
-F, --fill=<types>
+
    fill given type areas with infile data (?*/-+)
+
-g, --generate-logfile
+
    generate approximate logfile from partial copy
+
-i, --input-position=<pos>
+
    starting position in input file [0]
+
-n, --no-split
+
    do not try to split or retry error areas
+
-o, --output-position=<pos>
+
    starting position in output file [ipos]
+
-q, --quiet
+
    quiet operation
+
-r, --max-retries=<n>
+
    exit after given retries (-1=infinity) [0]
+
-R, --retrim
+
    mark all error areas as non-trimmed
+
-s, --max-size=<bytes>
+
    maximum size of data to be copied
+
-S, --sparse
+
    use sparse writes for output file
+
-t, --truncate
+
    truncate output file
+
-v, --verbose
+
    verbose operation
+
 
+
Numbers may be followed by a multiplier: b = blocks, k = kB = 10^3 = 1000, Ki = KiB = 2^10 = 1024, M = 10^6, Mi = 2^20, G = 10^9, Gi = 2^30, etc...
+
 
+
 
+
== Cygwin ==
+
 
+
As of release 1.4-rc1, it can be compiled directly in [[Cygwin]] [http://en.wikipedia.org/wiki/Out_of_the_box Out of the Box]. Precompiled packages are available in the [http://cygwin.com/packages/ Cygwin distribution]. This makes it usable natively on [[Windows]] systems.
+
 
+
== See also ==
+
 
+
* [[aimage]]
+
* [[Blackbag]]
+
* [[dcfldd]]
+
* [[dd]]
+
* [[dd_rescue]]
+
* [[sdd]]
+

Revision as of 14:15, 16 April 2009

One of the first steps an examiners will need to carry out once they have an evidence image is to log system metadata, including OS version and patch level. This may be of particular importance if the image in question is from a machine that is suspected of having been compromised.

Windows

Windows 95/98/ME

Windows NT

Windows 2000/2003/XP/Vista

Information about a running system can be displayed using the command `ver` (and `systeminfo` on some systems).

During a forensic examination, information regarding the version of Windows can be found in a number of places. For example, by default, the Windows directory on Windows XP is "C:\Windows", where on Windows NT and 2000, it was "C:\Winnt". This is not definitive, however, because this directory name is easily modified during installation.

Determining the version of Windows from the Software Registry Hive file - navigate to the Microsoft\Windows NT\CurrentVersion key, and examine the values beneath the key; specifically, values such as ProductName, CSDVersion, ProductId (if available), BuildLab, and on Vista, BuildLabEx.

Determining the version of Windows from file version information - locate the file %WinDir%\system32\ntoskrnl.exe and review the file version information/strings from the resource section of the PE file. You can view this information with a hex editor, or extract it using a variety of means. There is a Perl module (Win32::File::VersionInfo) that will allow you to extract this information, and the Perl script kern.pl illustrates a platform independent means of examining the PE header and ultimately locating the file version information.

In order to determine the difference between Windows XP Professional and Home versions, look for the %WinDir%\system32\prodspec.ini file; it contains information regarding the Product type (either XP Pro or Home). Another way to do this is to look at Microsoft Product Code (first 5 digits of Product ID). Some of these values:

Value (MPC) Version
55034 Windows XP Professional English
55683 Windows XP Professional Russian
55681 Windows XP Home Edition Russian

Unix/Linux

Information about a running system, including the kernel version, can be displayed using the command `uname -a`. However, this is not much good if you performing dead analysis on a disk image.

Linux

A number of Linux distributions create a file in /etc to identify the release or version installed.

Distro Tag
Red Hat /etc/redhat-release
Debian /etc/debian-version

Solaris

Free/Net/OpenBSD

AIX

HP/UX