I picked up an old Toshiba 2.5″ 40Gb laptop hard drive to use for practice cloning and analyzing drives with some free or low-cost forensic tools. After connecting the drive to the WiebeTech Forensic UltraDock I was quickly able to see that the drive had 5 bad sectors. I attempted to acquire the clone of the drive utilizing FTK Imager on two different occasions but after waiting for several hours on each attempt the clone would “freeze” after approximately 24.7Gb of the image had been acquired. I then attempted to clone the drive utilizing dcfldd within the SIFT 3.0 workstation and received the same results. A little online research and I learned about ddrescue as an option for achieving a clone of a drive with bad sectors.
Note: ddrescue could refer to two different programs. ddrescue as well as GNU ddrescue. In this post I am referring to GNU ddrescue.
GNU ddrescue can be installed on Ubuntu utilizing the following commands:
sudo apt-get update
sudo apt-get install gddrescue
Once ddrescue was installed I reconnected the Toshiba laptop drive via the Forensic UltraDock and initiated the clone again via ddrescue utilizing the command below to create a dd image file.
sudo ddrescue -f /dev/sdc /media/Cases/ToshibaLaptop.dd /media/Cases/ToshibaLaptop.txt
The above command creates a .dd image file (ToshibaLaptop.dd) from the source disk (/dev/sdc) and creates a log file (ToshibaLaptop.txt) which is located in the same directory as the image file.
After 6 hours the image file finally completed along with the log file of the image creation process (ToshibaLaptop.txt). At this point I was able to import the ToshibaLaptop.dd file into Autopsy 4.1 and begin analysis of the image file.
One thing to note about ddrescue compared to ddcfld is that a hash of the source drive is not created during the imaging process and will have to be created manually.
More research and practice with GNU ddrescue needs to be completed on my part to test several theories and become more familiar and comfortable with the program. With that being said, ddrescue did create a dd image file that I was not able to create using FTK Imager or dcfldd.
You can find out more about GNU ddrescue Here.