For quite a while I’ve used ghost4linux (g4l) for my disc cloning needs. What I REALLY like are the ability to do a network copy of the image to an ftp server and the built in dd_rescue to rescue data from a failing hard drive. Unfrotunately g4l does a bit by bit copy of a drive which means it can take a while and it copies the full drive capacity (say for instance 80GB) even if you only have 5GB worth of information. Now, it can be compressed and if you massage the drive by defraging/filling empty space with ones before you start you can squeeze the image down pretty small, but… sometimes that’s a big task (I remember leaving one box writing zeros to the drive overnight to prepare the empty space for a g4l cloning.) Anyway…. I’ve run across clonezilla recently and am VERY impressed – it’s basically a wrapper around partimage – it will only copy the data component of a disc’s contents if it recognizes the filesystem (most linux filesystem types ext2/3/reiser plus ntfs and fat… it seems like a couple others too.) If it doesn’t recognize the filesystem it drops back to bit by bit mode which is nice. The only other thing I would want from it is better documentation and dd_rescue capabilities. (And maybe a fuse module to be able to image to/from ftp servers.) It supports several network approaches (samba/ssh) for writing/reading images over a network.
Tag: disk image
-
Sleuthkit – windows and linux file recovery
http://www.sleuthkit.org/ Sluethkit… is a collection of tools for forensic analysis of a system. Usually it’s something that would be done when you’ve had a suspected rootkit on the system and you boot to another operating system with sluethkit installed (maybe livecd/etc.) and want to try to analyze and hunt for traces of the rootkit. However you do have some similar procedures for forensic analysis that you would for the “I accidentally deleted a file” syndrome… For both situations you DON’T want to be running the live filesystem that’s affected.
-
Live filesystem “capture” into a virtual disk image
ah… the joys of *nix utilities…. I’ve just successfully tested a “capture” of a live, running system into a virtual disk image. No, I don’t mean that I booted up with an imaging utility. I took a live, booted and logged in system and imaged the primary hard drive that it was living on, into a file on another machine. (Yeah, I know, there are probably a few people reading this and saying they’ve done that and most people that would need to do this already know how…. sorry I missed the memo.) Not too long ago, VMWare released a tool to do something like this (that tool is for windows…) This should work on any platform that supports dd and netcat (although I’m not sure if piping output from one program to another works with a dos command shell – maybe cygwin would be a good environment to accomplish this with.) Anyway… here are the details.
-
Flashing bios pain in the neck….
One of the “project machines” I’ve had that’s been retired from other service was to become a “storage server” this week. The twin 250GB drives had arrived and I was ready to setup a RAID1 array (mirroring essentially…) in software and use Ubuntu 6.06 as the base operating system. I had already wiped the other drive and removed the drive, plugged in the new ones (master on the primary and secondary channels) and…. BIOS only reads 136GB. Shoot…. it was a relatively recent system (maybe 3 years…) SO…. BIOS update was my best bet I thought.
-
Virtual Machine of a real hard drive
This incidents.org article the other day caught my eye. It talked of a utility calledliveview that could take a hard drive (or image of a drive) and make it into a virtual machine for use in vmware (saving all changes to a temporary file so the original structure of the disk/drive image is not touched.) It looks like you need to have Windows as your base platform, but it looks as though it would be a useful tool. Windows Incident Response possibly saw the same note on Incidents.org.