How To Image HD Drive Before Extraction & Restore

Discussion in 'backup, imaging & disk mgmt' started by frank7, Oct 30, 2011.

Thread Status:
Not open for further replies.
  1. frank7

    frank7 Registered Member

    Joined:
    May 14, 2011
    Posts:
    130
    Dear WS community,

    a client of mine has asked me to get data off an old IDE 60GB HD that is inside an ancient laptop without power cable, so the laptop has no use to the client, except getting the data out of it. So far so good.

    I gotten myself a quickport and hooked the drive via USB to my system. Drive works fine, data is there, no problem. And now comes the question.

    How do I image or backup the drive so that I can also search for deleted or formatted partitions without messing with the drive? Can I only do that while the drive is connected to my system or can I actually also image the drive completely with deleted files and partitions to my system and then work with the image instead of the actual drive? Is this possible, I am sure it is, and what software commercial or open source would I use for that?

    Currently I am looking at TestDisk but have not found an image/backup option with that. For my normal system backup I use Macrium Reflect since ever and am happy with that since ever, but I worry that such an image process might only copy the intact files instead of really making a 1:1 copy of the drive including all cylinders, deleted files, deleted or formatted partitions and the like.

    How would I best go about making a 1:1 copy of the HD before working on it please?
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    If client is only interested in data then there is no need to worry if your backup system does not create a true copy. Not sure why it wouldn't but in any case nothing to lose if you try
     
  3. frank7

    frank7 Registered Member

    Joined:
    May 14, 2011
    Posts:
    130
    Cudni, thanks for your fast reply. Yes a true copy is what is needed, a 1:1 copy of the drive to be exact.

    So what software, commercial, free or open source would accomplish such a task please?

    Why the need you ask? Well learning this on a drive that does not seem to be damaged can help me learn how to perform such tasks on drives in the future that have been damaged, formatted, lost their MBR or partition table etc. I am trying to learn this and do it the right way.

    If you look at this thread starting with this post you will see that in the past I have done huge mistakes when it comes to data recovery, so with this intact drive I am trying to learn and do things right this time round.
     
  4. frank7

    frank7 Registered Member

    Joined:
    May 14, 2011
    Posts:
    130
    I have found out that Macrium Reflect actually has an option to make a clone of the drive including empty sectors in the backup. But I am not sure about this.

    Would such a copy represent a true copy of the drive or would I need to use a more specialised software for such a task? What is such a task called? Clone? True Copy? Another expression?

    What other true copy/clone software for drives is out there with the functionality in regards to really making a true 1:1 copy of the drive, including all deleted files, formatted or lost partitions etc?

    Any help is very much appreciated.

    Thanks.
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You want software that can make a forensic image and also be able to mount it, so that you can use other recovery programs on the mounted image.

    Some free choices:
    OSFClone and OSFMount
    FTK Imager

    See also Disk Imaging.
     
    Last edited: Oct 30, 2011
  6. frank7

    frank7 Registered Member

    Joined:
    May 14, 2011
    Posts:
    130
    Thanks indeed for your reply MrBrian, will give those a try for sure!

    Can you let me know why the imaging program that boots from CD/DVD/USB do have an advantage (I understand it like that the way you wrote it) over imaging programs that are installed on the system please? I am curious now..

    Thanks for your help.

    [edit] Thanks for the forensics wiki link especially!
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :). I removed that advice because I see that you already have the customer's drive as a slave. I wanted to make sure that you didn't install a backup program on the customer's drive, because that would overwrite sectors that might contain data that the customer wanted to recover. Also, if you're trying to image a partition containing an operating system while the operating system on the partition is running, then the operating system can change sectors on the partition while the image is being made, thus necessitating use of "hot imaging" technology if you don't want a possibly corrupted image. If you're running a backup program from a boot CD/DVD/USB, then you don't have to worry about "hot imaging" because the customer's operating system is not running.

    FTK Imager, by the way, can do "hot imaging" if I recall correctly, and also can be made portable (copy contents of Program Files\AcessData\FTK Imager to portable drive).
     
    Last edited: Oct 30, 2011
  8. frank7

    frank7 Registered Member

    Joined:
    May 14, 2011
    Posts:
    130
    Excellent advice, thanks MrBrian!
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    You're welcome :).

    If you want to organize files by file type, you could use Capacity.
     
  10. frank7

    frank7 Registered Member

    Joined:
    May 14, 2011
    Posts:
    130
    Even better advice! Thanks so much! 10 out of 10! I was already looking at Adobe Lightroom (shrugs) to sort the photos from the other files. Plus the normal search function does not really do the trick good enough.

    Great! My client will be delighted!
     
Loading...
Thread Status:
Not open for further replies.