Difference between pages "Ddrescue" and "Hashkeeper"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
(Initial article)
 
Line 1: Line 1:
{{Infobox_Software |
+
{{Expand}}
  name = ddrescure |
+
  maintainer = [[Antonio Diaz Diaz]]|
+
  os = {{Linux}}|
+
  genre = {{Disk imaging}} |
+
  license = {{GPL}} |
+
  website = [http://www.gnu.org/software/ddrescue/ddrescue.html http://www.gnu.org/software/ddrescue/ddrescue.html] |
+
}}
+
  
'''ddrescue''' is a raw disk imaging tool that "copies data from one file or block device to another, trying hard to rescue data in case of read errors."  The application is developed as part of the GNU project and has written with UNIX/Linux in mind.
+
Run by the National Drug Intelligence Center, part of the U.S. Department of Justice.
  
'''ddrescue''' and '''[[dd_rescue]]''' are completely different programs which share no development between them.  The two projects are not related in any way except that they both attempt to enhance the standard [[dd]] tool and coincidentally chose similar names for their new programs.
+
'''HashKeeper''' is a database application of value primarily to those conducting forensic examinations of computers on a somewhat regular basis.
  
From the [[ddrescue]] info pages:
+
== Overview ==
<blockquote>
+
The application uses the [[MD5]] file signature algorithm to establish unique numeric identifiers (hash values) for known files and compares those known hash values against the hash values of Computer file|files on a seized computer system. Where those values match, the examiner can say, with statistical certainty, that the corresponding files on the seized system have been authenticated and therefore do not need to be examined.
GNU ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying hard to rescue data in case of read errors.<br><br>
+
  
Ddrescue does not truncate the output file if not asked to. So, every time you run it on the same output file, it tries to fill in the gaps.<br><br>
+
== Origins ==
  
The basic operation of ddrescue is fully automatic. That is, you don't have to wait for an error, stop the program, read the log, run it in reverse mode, etc.<br><br>
+
Created by the National Drug Intelligence Center (NDIC)—an agency of the United States Department of Justice—in 1996, it was the first source for hash values of "known to be good" files.
  
If you use the logfile feature of ddrescue, the data is rescued very efficiently (only the needed blocks are read). Also you can interrupt the rescue at any time and resume it later at the same point.<br><br>
+
== Availability ==
 +
HashKeeper is available, free-of-charge, to law enforcement, military and other government agencies throughout the world. It is available to the public by sending a [http://www.usdoj.gov/ndic/foia.htm Freedom of Information Act] request to NDIC.
  
Automatic merging of backups: If you have two or more damaged copies of a file, cdrom, etc, and run ddrescue on all of them, one at a time, with the same output file, you will probably obtain a complete and error-free file. This is so because the probability of having damaged areas at the same places on different input files is very low. Using
+
== External Links ==
the logfile, only the needed blocks are read from the second and successive copies.
+
</blockquote>
+
  
== Installation ==
+
* [http://www.usdoj.gov/ndic/about.htm Official NDIC website]
  
=== Bootable CD ===
+
[[Category:Hashing]]
ddrescue is available on bootable rescue cds such as SystemRescueCd http://www.sysresccd.org/Main_Page.
+
=== Debian and Ubuntu ===
+
The package 'ddrescue' in Debian and Ubuntu is actually [[dd_rescue]], another dd-like program which does not maintain a recovery log.  The correct package is gddrescue.
+
 
+
Debian
+
<blockquote>
+
aptitude install gddrescue
+
</blockquote>
+
Ubuntu
+
<blockquote>
+
sudo apt-get install gddrescue
+
</blockquote>
+
=== Gentoo ===
+
<blockquote>
+
emerge ddrescue
+
</blockquote>
+
== Partition recovery ==
+
 
+
=== Kernel 2.6.3+ & ddrescue 1.4+ ===
+
'ddrescue --direct' will open the input with the O_DIRECT option for uncached reads. 'raw devices' are not needed on newer kernels. For older kernels see below.
+
 
+
First you copy as much data as possible, without retrying or splitting sectors:
+
<blockquote>
+
ddrescue --no-split /dev/hda1 imagefile logfile
+
</blockquote>
+
 
+
Now let it retry previous errors 3 times, using uncached reads:
+
<blockquote>
+
ddrescue --direct --max-retries=3 /dev/hda1 imagefile logfile
+
</blockquote>
+
 
+
If that fails you can try again but retrimmed, so it tries to reread full sectors:
+
<blockquote>
+
ddrescue --direct --retrim  --max-retries=3 /dev/hda1 imagefile logfile
+
</blockquote>
+
 
+
You can now use ddrescue (or normal dd) to copy the imagefile to a new partition on a new disk. Use the appropriate filesystem checkers (fsck, CHKDSK) to try to fix errors caused by the bad blocks. Be sure to keep the imagefile around. Just in case the filesystem is severely broken, and datacarving tools like testdisk need to to be used on the original image.
+
 
+
=== Before linux kernel 2.6.3 / 2.4.x ===
+
In 2.6.3 the 'raw device' has been marked obsolete. On later kernels ddrescue will use O_DIRECT on the input to do uncached reads.
+
 
+
First you copy as much data as possible, without retrying or splitting sectors:
+
<blockquote>
+
ddrescue --no-split /dev/hda1 imagefile logfile
+
</blockquote>
+
 
+
Now change over to raw device access. Let it retry previous errors 3 times, don't read past last block in logfile:
+
<blockquote>
+
modprobe raw<br>
+
raw /dev/raw/raw1 /dev/hda1<br>
+
ddrescue --max-retries=3 --complete-only /dev/raw/raw1 imagefile logfile
+
</blockquote>
+
 
+
If that fails you can try again (still using raw) but retrimmed, so it tries to reread full sectors:
+
<blockquote>
+
ddrescue --retrim --max-retries=3 --complete-only /dev/raw/raw1 imagefile logfile
+
</blockquote>
+
 
+
You can now use ddrescue (or normal dd) to copy the imagefile to a new partition on a new disk. Use the appropriate filesystem checkers (fsck, CHKDSK) to try to fix errors caused by the bad blocks. Be sure to keep the imagefile around. Just in case the filesystem is severely broken, and datacarving tools like testdisk need to to be used on the original image.
+
 
+
At the end you may want to unbind the raw device:
+
<blockquote>
+
raw /dev/raw/raw1 0 0
+
</blockquote>
+
 
+
== Examples ==
+
 
+
These two examples are taken directly from the [[ddrescue]] info pages.
+
 
+
Example 1: Rescue an ext2 partition in /dev/hda2 to /dev/hdb2
+
<blockquote>
+
ddrescue -r3 /dev/hda2 /dev/hdb2 logfile<br>
+
e2fsck -v -f /dev/hdb2<br>
+
mount -t ext2 -o ro /dev/hdb2 /mnt<br>
+
</blockquote>
+
 
+
Example 2: Rescue a CD-ROM in /dev/cdrom
+
<blockquote>
+
ddrescue -b 2048 /dev/cdrom cdimage logfile
+
</blockquote>
+
write cdimage to a blank CD-ROM
+
 
+
 
+
This example is derived from the ddrescue manual.
+
 
+
Example 3: Rescue an entire hard disk /dev/sda to another disk /dev/sdb
+
 
+
copy the error free areas first
+
ddrescue -n /dev/sda /dev/sdb rescue.log
+
attempt to recover any bad sectors
+
ddrescue -r 1 /dev/sda /dev/sdb rescue.log
+
 
+
 
+
== Cygwin ==
+
 
+
As of release 1.4-rc1, it can be compiled directly in [[Cygwin]] [http://en.wikipedia.org/wiki/Out_of_the_box Out of the Box]. Precompiled packages are available in the [http://cygwin.com/packages/ Cygwin distribution]. This makes it usable natively on [[Windows]] systems.
+
 
+
== See also ==
+
 
+
* [[aimage]]
+
* [[Blackbag]]
+
* [[dcfldd]]
+
* [[dd]]
+
* [[dd_rescue]]
+
* [[sdd]]
+

Revision as of 18:36, 15 April 2007

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Run by the National Drug Intelligence Center, part of the U.S. Department of Justice.

HashKeeper is a database application of value primarily to those conducting forensic examinations of computers on a somewhat regular basis.

Overview

The application uses the MD5 file signature algorithm to establish unique numeric identifiers (hash values) for known files and compares those known hash values against the hash values of Computer file|files on a seized computer system. Where those values match, the examiner can say, with statistical certainty, that the corresponding files on the seized system have been authenticated and therefore do not need to be examined.

Origins

Created by the National Drug Intelligence Center (NDIC)—an agency of the United States Department of Justice—in 1996, it was the first source for hash values of "known to be good" files.

Availability

HashKeeper is available, free-of-charge, to law enforcement, military and other government agencies throughout the world. It is available to the public by sending a Freedom of Information Act request to NDIC.

External Links