Use dd with compression, please advise

Computer forensics training and education issues. If you are looking for topic suggestions for your project, thesis or dissertation please post here rather than the general discussion forum.
Go to page 1 , 2 Next

Use dd with compression, please advise

Post Posted: Mon Oct 09, 2017 7:33 am

Hello,

I'm trying to use your DD to save a disk image with compression, it seems that saving with compression is working as I see the result image with 'gz' suffix and the file size is really compressed.

But When I'll try to restore/reapply the image into another system It is unable to boot, process is not working when I put the 'decomp' option.

To GET the image I'm using this sentence:

dd -v if=\\.\Physicaldrive0 of=z:\image\myimage.img conv=noerror,comp --localwrt

Image is created and zipped, and all seems correct. Without zip compression image is 80Gb, compressed is 8Gb..

The problem is when I'll try to restore/reapply the image onto a similar system.

dd -v if=z:\image\myimage.img.gz of=\\.\PhysicalDrive0 conv=noerror,decomp --localwrt

I'll have this error message

"unable to copy file!"

What's wrong?
i've also tried using with the with "-comp gzip / --decomp gzip", but I'll have the same error.
Until I could see, my command syntac, options are apparently correct. I've also got some externals logs, but the content of these are the same error that I could see in the screen.

Please advise how to use DD with compression/decompresion options.

Best Regards

pmico
Newbie

    Re: Use dd with compression, please advise

    Post Posted: Mon Oct 09, 2017 7:57 am

    I haven't used DD on Windows and have not come across compression being available in DD directly. One would normally pipe the output of DD into a compression program....

    The only 2 things that stand out as possibilities are:

    1. When you compress the image you don't seem to add .gz to the output filename so maybe you should omit it from the input filename when you are decompressing it? Maybe the decompression DD is looking for a file called image.img.gz.gz rather than image.img.gz. So try: dd -v if=z:\image\myimage.img of=\\.\PhysicalDrive0 conv=noerror,decomp --localwrt

    2. Maybe you have read only access to \\.\PhysicalDrive0

    I'd be interested where you got your DD for Windows from?

    AmNe5iA
    Member

    Re: Use dd with compression, please advise

    Post Posted: Mon Oct 09, 2017 10:09 am

    Hi
    I'm trying to use this DD, because is an 'all-in-one' and seems that you don't need other tools to compress the image, and seems to be quicker than using a dd + gzip

    dd belongs to Forensic Acquistition utilities:
    www.gmgsystemsinc.com/fau/

    When I capture the image:
    dd -v if=\\.\Physicaldrive0 of=z:\image\myimage.img conv=noerror,comp --localwrt

    The GZ suffix is automatically added, with the above command I'll have mymige.img.gz file

    and If I try to restore, like you suggest, without the "gz" suffix like this
    dd -v if=\\.\Physicaldrive0 of=z:\image\myimage.img conv=noerror,comp --localwrt

    it is unable to find the image, then I'll have to put the image fullname, with suffix.


    I've got some examples from this document.. and I guess that my syntax is not the problem
    mirrors.pdp-11.ru/_vax...lities.pdf

    Disk is in write mode, because when I use another dd for windows I was able to recover the image
    I'm trying to recover a linux machine, but I guess that It should not be a problem for a DD.

    pmico
    Newbie

      Re: Use dd with compression, please advise

      Post Posted: Mon Oct 09, 2017 1:03 pm

      - pmico


      and If I try to restore, like you suggest, without the "gz" suffix like this
      dd -v if=\\.\Physicaldrive0 of=z:\image\myimage.img conv=noerror,comp --localwrt


      That is not what AmNe5iA posted, but I don't think that even if you use the correct if and of it will change anything.


      Could it be a "multidot" problem?
      No,as the example in the PDF does have a few multidot filenames.

      Try (for test only) to make a dd of a file and restoring it, aka:
      dd.exe of=myfile.txt.gz if=d:\images\myfile.txt conv=noerror,comp
      dd.exe if=myfile.txt.gz of=d:\images\myfile.txt conv=noerror,decomp

      It could be an issue of accessing the \\.\Physicaldrive, which Windows OS are you running?

      jaclaz


      - In theory there is no difference between theory and practice, but in practice there is. - 

      jaclaz
      Senior Member

        Re: Use dd with compression, please advise

        Post Posted: Mon Oct 09, 2017 2:58 pm

        Hi,

        First, Thanks for your suggestions...

        Regarding the test that you sugested, I've just done with this result

        Note: 'drives.cmd' is a plain text file that I've used for this test, and I had to use the 'localwrt' option because it is required.

        dd -v if=drives.cmd of=myfile.txt.gz conv=noerror,comp --localwrt

        -> it creates a file named myfile.txt.gz.gz (adds extra sufix)

        When I went to recover the file, I used

        dd -v if=myfile.txt.gz.gz of=myfile.txt conv=noerror,decomp --localwrt

        But output file 'myfile.txt' has zero bytes..


        Regarding Disk, I'm using this wmi command to identify the drive.. name is \\.\Physicaldrive0

        wmic diskdrive get name, size, model

        I'm asuming that PhysICalDrive0 is the right one, because this drive could be accesed to export the file using DD

        Regards

        pmico
        Newbie

          Re: Use dd with compression, please advise

          Post Posted: Tue Oct 10, 2017 12:34 am

          Hi again,

          just to complement my previous post.

          I've did a little more test with this DD version using single file,

          I've did a test with a plain txt file

          dd if=myfile.txt of=myfile.img conv=noerror --localwrt

          dd if=myfile.img of=myfile1.txt conv=noerror --localwrt

          the contents of the file 'myfile1.txt' was something like:

          VWdCbEFHY0Fjd0JvQUc4QWRBQWdBREVBTGdBNUFDNEFNQUFnQUhnQU5nQTBBQ0FB
          VlFCdUFHa0FZd0J2QUdRQQ0KWlFBTkFBb0FRd0J2QUcwQWJRQmxBRzRBZEFCekFE
          b0FJQUFOQUFvQVJBQmhBSFFBWlFCMEFHa0FiUUJsQURvQQ0KSUFBeUFEQUFNUUEz

          but...

          when I used the command without 'noerror' option, I was able to recover the file

          These format
          dd if=myfile.txt of=myfile.img --localwrt

          I've also did the test using the option 'comp/decomp'... and it works, the problem is when I use the option 'noerror'

          Noerror option means 'continue reading after errors' then ??? If it transforms the file, the output seems encoded..

          Or I don't know how touse this tool, or I couldm't rely on this tool ...


          I've been also working with this one, more similar to the standard unix 'dd', and I was able to get/recover without problems, but with the inconvenience that I'll have to use and additional tool to compress the output and it takes quite long time

          www.chrysocome.net/dd

          Regards

          pmico
          Newbie

            Re: Use dd with compression, please advise

            Post Posted: Tue Oct 10, 2017 4:37 am

            Technically the Chrysocome dd is a "different "program (it is re-written in Delphi).

            "Real" ports of dd are either non-existing or not fully working or - just like in the case of the FAU version - overcomplicated by adding a number of (BTW often useful) options .

            Just for the fun of it (and FYI) I did some time ago a proper "hunt" for one:
            reboot.pro/topic/15207...for-ddexe/

            Back to your issue, maybe the --conv=noerror is one problem (and can be avoided by not using the switch).

            But the original one seems like an issue accessing Physicaldrive for writing, I asked you about the OS involved because on recent Windows OS (Vista and later) some parts of the Physicaldrive cannot be accessed in write mode, you need to put the disk offline (or use some other tricks).

            See here:
            reboot.pro/topic/8200-...r/?p=73590
            communities.vmware.com.../DOC-10455
            reboot.pro/topic/12413...00-update/
            reboot.pro/topic/15069-lockvolume/

            The FAU dd being (mainly) aimed at taking images of physicaldrives (and not usually to restore them) may well be missing a similar mechanism and the .PDF you referenced being dated 2003 was written when 2K/XP/2003 were in use (they don't have the same "locking" mechanism as later Windows NT based OS's) and on them the FAU dd should work flawlessly for restore as well.

            jaclaz


            - In theory there is no difference between theory and practice, but in practice there is. - 

            jaclaz
            Senior Member
              Page 1 of 2
              Go to page 1 , 2 Next




              ± Forensic Focus Partners

              ± Your Account



              Site Members:

              New Today: 0 Overall: 33343
              New Yesterday: 3 Visitors: 224

              ± Follow Forensic Focus

              Forensic Focus Facebook Page Forensic Focus on Twitter Forensic Focus LinkedIn Group Forensic Focus YouTube Channel

              RSS feeds: News Forums Articles

              ± Latest Articles

              ± Latest Webinars


              Build a Mobile Site
              View Site in Mobile | Classic
              Share by: