Softpanorama (slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-) Softpanorama Search

Technology of Working with ISO Images

Note: ISO images are now covered in a separate page: ISO Images

A disk image is a file which contains the full contents of the specified disk in a single file; the contents are generally read as raw sectors so all data including partition information (FAT), boot sector, along with actual directory entries and files are copied to the image. An image file is specific to a particular format, so a 1.44MB image should be written to a 1.44MB floppy diskette and 1.2MB image should be written to a 1.2MB floppy diskette. A disk image is different from an archive [zip/arj/etc.] as it contains a snapshot (or image) of the contents and does not differentiate between OS data (FAT/etc.) and user data (particular files/directories/etc.); which are not generally accessible until written back to a disk; and use different means to access the data bypassing the OS's filesystem layer; also a diskimage will generally produce identical disk copies, whereas archives generally are equivalent to copying the files to a new diskette. See http://www.rundegren.com/software/floppyimage/faq/ for additional information about disk images.

There are several major types of images:

1. ISO images. They are created in a special ISO format more properly called ISO 9660 file system. You can create an ISO image file from a content of a disk folder using  for example ISO Recorder v 2  or many shareware tools, for example ISO Commander . You can even install software directly from ISO images without burning then using a virtual CD-ROM drive that can mount ISO images. Microsoft has an unsupported "Virtual CD-ROM Control Panel for Windows XP". The reason why it's unsupported became clear after downloading the product. It contains no setup (only instructions) and the interface is quite basic. But the software did its job very well. This tool is not searchable through the "Microsoft Download Center", but it is mentioned on the MSDN Subscribers FAQ.  See Mounting ISO images in a virtual CD-ROM drive for a discussion of this tool.
2. classic dd-images -- this is sector by sector copy of a partition of a whole disk.
3. floppy images   They also can be written using Unix dd (from Microsoft SFU tools). But more specialized programs like good old wimage (part of FDFORMAT, a shareware package for DOS written by Christoph H. Hochsttter) can also be useful.  To create image in Windows 2000 one can use dcf

Old News ;-)

[Apr 28, 2006] Port25 Recovering remote NT-W2K-XP desktops with a network boot CD-DVD 

If you are looking for a good Open Source solution for Imaging and recovery one way to do this is by using:  g4u (Ghost for UNIX) http://www.feyrer.de/g4u/ . Based on NetBSD, G4u is a bootable floppy/CD for cloning and imaging hard disks and partitions.

If you have a mixed environment, which most of us do, you might wonder what file or operating systems it can handle.  The answer is all of them. G4u reads the disks bit by bit starting with byte #0. This includes any MBR, boot record, partition table and the partitions themselves.  G4u can as easily clone a Windows XP disk as a Linux or Solaris/X86 disk. By moving the hard disks to a PC, g4u can even deploy or image operating systems for non-PC based SCSI machines such as HP-UX, Solaris, Irix, and AIX. You can image a drive or partition locally, IE disk to disk, or have the image uploaded to an ftp server. The cloned images can be compressed to save space, however the compression isn’t nearly as good as some of the commercial alternatives so make sure your ftp server has plenty of space!  If space is a concern, be sure to check out the FAQ on G4u’s website. http://www.feyrer.de/g4u/#hints

Here is a quick example.  I recently imaged my Fedora Core 5 laptop to a local ftp server here in my office. 

Once I booted my laptop up with the g4u CD, I was at the main menu and the command prompt.

 g4u>

The laptop only has one hard disk. I used the ‘disks’ command to see it.

g4u> disks

wd0: at atabus0 drive 0: <FUJITSU MHT2060AT PL>

wd0: drive supports 16-sector PIO transfers, LBA addressing

wd0: 57231 MB, 116280 cyl, 16 head, 63 sec, 512 bytes/sect x 117210240 sectors

I wanted to image the IDE disk (wd0) to my ftp server (192.168.1.1) using the ftp account ‘images’. I typed the following command. 

 g4u> uploaddisk images@192.168.1.1 fc5laptop.gz wd0

I entered in my password when prompted.

This took a while on a 100MB connection, a couple hours or so.  I think I went and got coffee while it was running. Ok, so now on my ftp server I have the file fc5laptop.gz.

 $ ls –l
-rw------- 1 images images 20259936597 Apr 18 12:18 fc5laptop.gz

To recover the image I booted again with the g4u CD and at the command prompt typed:

 g4u> slurpdisk images@192.168.1.1 fc5laptop.gz wd0

Again I entered my password for the ftp server when prompted and went for coffee (anytime is a good time for coffee J )

After about an hour my laptop was restored. I ejected the g4u cd and rebooted.

G4u doesn’t try to do everything but what it does do, it does very well.

re: Recovering remote NT/W2K/XP desktops with a network boot CD/DVD

Friday, April 28, 2006 12:58 PM by fluke

g4u is a very interesting project.  I have been using Novell's ZEN Image which boots a light (less than 12MB) version of SuSE to do imaging.  And just like g4u, it supports be started via CD boot or PXE network boot.

However, you did not answer the question about *RECOVERY* of an existing installation at all.

At the University, we have several students that are getting hit with the "Blackworm."  Several of these Dell laptop users don't even have a Windows install CD, but rather a Ghost boot CD that puts the drive back to OEM default (in some cases also without SP2).  It would be nice to have a "Live CD" based on the XP kernel.  This way, even if the user has hardware not supported by alternative OSes, a recovery enviroment could be booted that is ensured not automatically start any rootkits from the hard drive.  We could then use network access to the "Live CD" enviroment to try to remove the infection or at least remotely back up critical data files.

But the problem is one of license terms instead of any technical issue.  While several people claim that Windows is simply a victim of it's own popularity and if Mac OS or Linux became the popular desktop then it would also be the target of malware.  To some extent that might be true but the people that make this claim do not seem to take into account what methods of recovery could be made available to the different personal desktop users.

If a Mac OS port of Blackworm came out, we could create a bootable recovery CD based on Darwin that uses Apple's offical HFS+ file system code and is able to support all the same hardware drivers as the hard drive installed OS.  Once such a recovery CD is created, we could then redistribute it to the students under the licensing terms of Darwin.

If a GNU/Linux port of Blackworm came out, we could create a bootable recovery CD based on the GNU/Linux distribution that uses the distribution's offical file system code and is able to support all the same hardware drivers as the hard drive installed OS.  Once such a recovery CD is created, we could then redistribute it to the students under the licensing terms of the GNU/Linux distribution.

But now that XP version of Blackworm is out, we have tried creating a bootable BartPE CD that uses the offical MS kernel, NTFS driver and other XP drivers.  But, then the terms of redistribution on any work derived using the XP kernel and other resources prohibits us from redistributing it to the students.

We don't want to cheat Microsoft but we don't want to cheat our students either.  Ultimately, copyright law wins out and our ability to help the students is greatly hindered.  Our Microsoft sales rep will only confirm that we don't have any reasonable method of redistributing BartPE CDs regardless of what our intentions are.

Much like you, Dell and Microsoft's answer involves re-imaging the laptop which does not address keeping any of the data they need to pass their classes.

"and went for coffee (anytime is a good time for coffee J )"

Well... if you can recommend any good coffee, it might at least make our students feel better about loosing to the Blackworm their end of semester papers that are due today.

If only malware authors where restricted by the same laws that hinder us from fighting their creations.
 

HDCOPY  DOS-based Disaster-Recovery, Backup and Cloning Program (similar to old GHOST).

HDCOPY is a Disaster-Recovery, Backup and Cloning program which works independently of the operating system being used. HDCOPY works as a pure DOS program and does not rely on specific functions of the resident operating system.  It will work regardless of the structure of the operating system’s file system.  HDCOPY supports Backup To and Restore From an image file, as well as copying hard disk directly to hard disk. You can work with HDCOPY on whole hard disks or single partitions.

Backing Up And Restoring Your Dedicated Server With SystemImager HowtoForge - Linux Howtos and Tutorials

Version 1.0
Author: Falko Timme <ft [at] falkotimme [dot] com>
Last edited 06/17/2005

This tutorial is based on the tutorial "Creating Images Of Your Linux System With SystemImager" (http://www.falkotimme.com/howtos/systemimager/index.php and http://www.howtoforge.com/howto_linux_systemimager) where you can find the basics about how to use SystemImager.

Now let's assume you have a dedicated Linux server (rented or co-location) that is located in some provider's data center which is normally a few hundred kilometers away from your office or home. Now you want to make an image of that system so that you have a back up in case your server crashes, you accidentally deleted all you customers' web sites, etc. (I'm sure you have enough fantasy to make up some horror scenarios for yourself here...). Creating such an image is no problem, even on a remote system that is in a data center, it is all described in the "Creating Images Of Your Linux System With SystemImager" tutorial.

But how do you restore such an image? That's the crucial point. The methods described in the "Creating Images Of Your Linux System With SystemImager" tutorial all require that you have physical access to your server and that your server has a floppy drive or a CD-ROM drive. But your server is a few hundred kilometers away, and nowadays only few servers have a floppy or CD-ROM drive.

There is a solution, the only requirement is that your dedicated server has some kind of Linux rescue system which is a feature that normallly comes with dedicated servers offered by one of the big hosting companies. It basically works like this: your hosting company gives you the login to some kind of control panel where you can see a lot of information about your server, e.g. traffic consumption in the last few months, documentation, passwords, billing information, etc. There will also be a page that lets you select the boot mode of your server, i.e. normal system boot or rescue system. If you select rescue system, the server will boot into the rescue system which you can use to repair your normal system. It is similar to your Linux machines in your office or at home where you use some kind of Linux live-CD (e.g. Knoppix) to repair your system.

Now in this tutorial I will demonstrate how to restore an image on your dedicated server on the basis of a dedicated server that the German hosting company Strato gave to me 3 months for free in order to write this howto. Many thanks to Strato for their co-operation!

If you have successfully tried the methods described here on other hosters' dedicated servers please let me know! I will mention it here.

This howto is meant as a practical guide; it does not cover the theoretical backgrounds. They are treated in a lot of other documents in the web.

This document comes without warranty of any kind!

Choosing a Disk-Imaging Program

Microsoft does not provide disk-imaging software. You must purchase a third-party disk-imaging program to create a disk image of a master computer’s hard disk.

Not all disk-imaging programs are compatible with Windows Server 2003 and Windows XP Professional. When you evaluate disk-imaging programs, make sure you choose a program that supports the following Windows Server 2003 and Windows XP Professional features:

• Long file names. Be sure your disk-imaging program supports long file names. (Long file names can be up to 255 characters and can contain spaces, multiple periods, and special characters that are not allowed in MS-DOS file names.) Most commercial third-party disk-imaging programs can handle long file names, but some shareware and freeware disk-imaging programs cannot.
• NTFS 3.1. Be sure that your disk-imaging program supports NTFS 3.1, which is the version of NTFS used by Windows Server 2003 and Windows XP Professional. Although many disk-imaging programs support NTFS, these programs do not necessarily support the new features in NTFS 3.1, such as the clean shutdown flag.

In addition to these required features, consider choosing a disk-imaging program that supports the following optional features:

• Network share support. Some disk-imaging programs can copy disk images to and from network shares. This feature is essential if you distribute disk images across a network.
• CDR-RW support. Some disk-imaging programs can write the disk image directly to a writable CD. This feature is useful if you distribute disk images on CDs.
• Large-file support (also known as file splitting or disk spanning). Some disk-imaging programs can copy an image onto multiple CDs or other media. This is useful because a typical disk image of Windows Server 2003 or Windows XP Professional does not fit on one CD.
• Stand-alone support. Some disk-imaging programs provide a mechanism for booting a computer that is not connected to a network, and then copying an image from removable media without using a network connection. This is useful if you distribute your disk images on CD or DVD.
• Multicast image deployment. Some disk-imaging programs have a multicast server feature that lets you simultaneously copy a disk image onto multiple computers over a network connection. This is useful for large-scale rollouts where you want to automate and control the disk copy process.
• Image management. Some disk-imaging programs have image-management features that let you view, add, and remove files and folders from a disk image. This is useful for updating a disk image without having to reconfigure a master computer and create a new disk image.

Some disk-imaging programs can create, resize, or extend a partition before you copy a disk image onto a destination computer. Although these features might be useful, not all disk-imaging programs can perform these tasks: in fact, some programs might cause a STOP 0x7B error (INACESSIBLE_BOOT_DEVICE). If you want to create a partition on a destination computer’s hard disk before you perform an image-based installation, you need to be sure the disk-imaging program is compatible with the file systems used by Windows Server 2003 and Windows XP Professional. If you want to resize or extend a partition before you copy a disk image onto a destination computer, use the ExtendOemPartition parameter in the Sysprep.inf file.

For more information about Stop 0x7B errors, see article 257813, "Using Sysprep May Result in ‘Stop 0x7B (Inaccessible Boot Device)’ on Some Computers," in the Microsoft Knowledge Base. To find this article, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources. For more information about using the ExtendOemPartition parameter, see "Automating Tasks Before Mini-Setup" later in this chapter.

Note: If you are deploying a 64-bit edition of Windows XP or a 64-bit version of the Windows Server 2003 family, you must use a 64-bit disk-imaging program.

Re how to write a floppy using dd

There are two basic ways of copying the boot images to floppys.
One is by using dd: dd if=1440_boot_floppy of=/dev/fd0  -- of course
use your own intended floppy device.

The second might be a little quicker:

cat 1440_boot_floppy >/dev/fd0

I have used both ways at different times and they work the same.
There is probably quite a tech. difference, but I don't think that there
is a functional difference.

Have Fun!

Recommended Links

---

In case of broken links please try to use Google search. If you find the page please notify us about new location

ISO Recorder v 2  http://isorecorder.alexfeinman.com/isorecorder.htm Welcome to the ISO Recorder download page. ISO Recorder is a tool (power toy) for Windows XP, 2003 and now Windows Vista, that allows (depending on the Windows version) to burn CD and DVD images, copy disks, make images of the existing data CDs and DVDs and create ISO images from a content of a disk folder.

Download

• ISO Recorder V1 - for Windows XP Gold (no service pack) and Windows XP SP1

• ISORecorder V2 - for Windows XP SP2 and Windows 2003

• ISO Recorder V3 - for Windows Vista (Beta 1)

• CreateCD - command-line CD burning tool for Windows XP (all versions), Windows 2003 and Windows Vista 

**** Rawrite and related programs very good page by Jeremy Davis

Marc's realm - Creating and using disk images mini-HOWTO

Alexander Geschonneck's Security Site Forensic - IDS - Incident Response

• Using Linux VMware and SMART to Create a Virtual Computer to Recreate a Suspect's Computer
• test results for the disk imaging tool dd from the U.S. National Insitute of Justice
• an interesting testimonial about Imaging and Authentication of Computer Hard Drive or Data
• link collection about forensics with opensource tools
• File system and disk images for testing digital forensic analysis and acquisition tools by Brian Carrier
• Wayne's Forensics and Incident Response Resources
• Pocket PC Security Resources
• Paper about disk cloning
• Setting up for Forensics. You have just been hacked! What do you do next?
• Der Cyberfahnder (german)
• WebMail Forensics
• Forensics Portal
• yet another forensic tools link collection
• Forensics with Linux 101
• Win2K First Responder's Guide
• How to duplicate a complete PC via network
• Digital Forensic - Learning from Intrusions (german language) local copy

Rawrite Wikilearn TWiki

Thomas Rude - DD and Computer Forensics

Using dd (instead of cdrecord and dvdrecord) to write bootable ISO images to DVD-RAM disks - CCP14 Linux Internet Server - CCP14 Web-Config Administration Information - CCP14 Homepage - Single Crystal and Powder Diffraction

Forensics usage of disk images

SANS Golden Gate 2004 ~ System Forensics, Investigation & Response

File System Analysis Techniques

Search

In this scenario, we will search the unallocated space of the "wd0e.dd" image for the string "abcdefg". The first step is to extract the unallocated disk units using the "dls" tool (as this is an FFS image, the addressable units are fragments).

     # dls -f openbsd images/wd0e.dd > output/wd0e.dls

Next, use the UNIX strings(1) utility to extract all of the ASCII strings in the file of unallocated data. If we are only going to be searching for one string, we may not need to do this. If we are going to be searching for many strings, then this is faster. Use the '-t d' flags with "strings" to print the byte offset that the string was found.

     # strings -t d output/wd0e.dls > output/wd0e.dls.str

Use the UNIX grep(1) utility to search the strings file.

     # grep "abcdefg" output/wd0e.dls.str | less
     10389739: abcdefg

We notice that the string is located at byte 10389739. Next, determine what fragment. To do this, we use the 'fsstat' tool:

     # fsstat -f openbsd images/wd0e.dd
     <...>
     CONTENT-DATA INFORMATION
     --------------------------------------------
     Fragment Range: 0 - 266079
     Block Size: 8192
     Fragment Size: 1024

This shows us that each fragment is 1024 bytes long. Using a calculator, we find that byte 10389739 divided by 1024 is 10146 (and change). This means that the string "abcdefg" is located in fragment 10146 of the "dls" generated file. This does not really help us because the dls image is not a real file system. To view the full fragment from the dls image, we can use dd:

     # dd if=images/wd0e.dd bs=1024 skip=10146 count=1 | less

Next, we will identify where this fragment is in the original image. The "dcalc" tool will be used for this. "dcalc" will return the "address" in the original image when given the "address" in the dls generated image. (NOTE, this is currently kind of slow). The '-u' flag shows that we are giving it an dls address. If the '-d' flag is given, then we are giving it a dd address and it will identify the dls address.

     # dcalc -f openbsd -u 10146 images/wd0e.dd
     59382

Therefore, the string "abcdefg" is located in fragment 59382. To view the contents of this fragment, we can use "dcat".

     # dcat -f openbsd images/wd0e.dd 59382 | less

To make more sense of this, let us identify if there is a meta data structure that still has a pointer to this fragment. This is achieved using "ifind". The '-a' argument means to find all occurrences.

     # ifind -f openbsd -a images/wd0e.dd 59382
     493

Inode 493 has a pointer to fragment 59382. Let us get more information about inode 493, using "istat".

     # istat -f openbsd images/wd0e.dd 493
     inode: 493
     Not Allocated
     uid / gid: 1000 / 1000
     mode: rw-------
     size: 92
     num of links: 1
     Modified: 08.10.2001 17:09:49 (GMT+0)
     Accessed: 08.10.2001 17:09:58 (GMT+0)
     Changed: 08.10.2001 17:09:49 (GMT+0)
     Direct Blocks:
     59382

Next, let us find out if there is a file that is still associated with this (unallocated) inode. This is done using "ffind".

     # ffind -f openbsd -a images/wd0e.dd 493
     * /dev/.123456

The leading '*' identifies the file as deleted. Therefore, at one point, the file '/dev/.123456' allocated inode 493, which allocated fragment 59382, which contained the string "abcdefg".

If "ffind" returned with more than file that had allocated inode 493, it means that either both were hard-links to the same file or that one file (chicken) allocated the inode, it was deleted, a second file (egg) allocated it, and then it was deleted. The string belongs to the second file, but it is difficult to determine which came first. On the other hand, if "ffind" returns with two entries where one deleted and one not, then the string belongs to the non-deleted file.

As previously mentioned, Autopsy will do all of this for you when you do a keyword search of unallocated space.

Making Diskette Images without Diskettes

So far we have been preparing boot diskettes by writing to real diskettes. This sounds like the most logical way to do it, but there can be reasons why we want to prepare an image file of a diskette without using real diskettes. Several reasons could be:

• Create a diskette image for a diskette drive you do not have.
• Automate boot image creation (several diskette images for a distribution).
• Create a diskette image for bootable CD-ROM
• Create a diskette image for a PC emulator

Basically we could create a diskette image as follows:

• Create an all zero image file using dd.
• Create a file system onto the image file.
• Mount the image file using the loop option and copy all files to it.
• Install the boot loader onto the image file.

The last part is the trickiest especially for LILO. It's fairly trivial for SYSLINUX and using the device command it can be done with GRUB. There is also another trick for SYSLINUX and GRUB (it does not work with LILO):

• Start with an image file with just the boot loader installed and an empty file system and copy that image file each time you create another image. This image file may be extracted from a real diskette just once.
• Mount the image file using the loop option and copy all files to it.

On Timo's Rescue CD Page there is a good explanation of how to create 2.88MB diskette images for a bootable CD-ROM, using all boot loaders. I could not explain it better. Of course these recipes apply also to other types of disk images.

Marc's realm - Creating and using disk images mini-HOWTO

Thomas Rude - DD and Computer Forensics - He's Worth a Deuce!

Moving your data to a backup device

Using the dd command to dump data

The dd command can be used to put data on a disk, or get it off again, depending on the given input and output devices. An example:

gaby:~>dd if=images-without-dir.tar.gz of=/dev/fd0H1440
98+1 records in
98+1 records out

gaby~>dd if=/dev/fd0H1440 of=/var/tmp/images.tar.gz
2880+0 records in
2880+0 records out

gaby:~>ls /var/tmp/images*
/var/tmp/images.tar.gz

Note that the dumping is done on an unmounted device. Floppies created using this method will not be mountable in the file system, but it is of course the way to go for creating boot or rescue disks. For more information on the possibilities of dd, read the man pages.

This tool is part of the GNU fileutils package.

Dumping disks

The dd command can also be used to make a raw dump of an entire hard disk.

Partimage

Partimage homepage

Description: Partition Image is a Linux/UNIX utility which saves partitions in many formats (see below) to an image file. The image file can be compressed in the GZIP/BZIP2 formats to save disk space, and split into multiple files to be copied on removable floppies (ZIP for example), ... Partitions can be saved across the network since version 0.6.0.

Partition Image will only copy data from the used portions of the partition. For speed and efficiency, free blocks are not written to the image file. This is unlike the 'dd' command, which also copies empty blocks. Partition Image also works for large, very full partitions. For example, a full 1 GB partition can be compressed with gzip down to 400MB.

This is very useful to save partitions to an image in some cases:

• First you can restore your linux partition if there is a problem (virus, file system errors, manipulation error) . When you have a problem, you just have to restore the partition, and after 10 minutes, you have the original partition. You can write the image to a CD-R if you don't want the image to use hard-disk space.
• This utility can be used to install many identical PCs. For example, if you buy 50 PCs, with the same hardware, and you want to install the same linux systems on all 50 PCs, you will save a lot of time. Indeed, you just have to install on the first PC and create an image from it. For the 49 others, you can use the image file and Partition Image's restore function.

Mailing lists switched to forums
There are four mailing lists but we urge you to use forums.
You should still subscribe to the partimage-announce mailing list if you want to receive an e-mail, when a new version is released. [low-traffic]

Supported file systems

name	description	state
ext2fs/ext3fs	the linux standard	stable
ReiserFS	a new journalized and powerful file system	stable
FAT16/32	DOS and Windows file systems	stable
HPFS	IBM OS/2 File System	stable
JFS	Journalised File System, from IBM, used on Aix	stable
XFS	another jounalized and efficient File System, from sgi, used on Irix	stable
UFS	Unix File System	beta
HFS	MaxOS File System	beta
NTFS	Windows NT, 2000 and XP	experimental

The NTFS (Windows NT File System) is currently not fully supported: this means you will be able to save an NTFS partition if system files are not very fragmented, and if system files are not compressed. In this case, you will be able to save the partition into an image file, and you will be able to restore it after. If there is a problem when saving, an error message will be shown and you won't be able to continue. If you have successfully saved an NTFS NTFS partition, you shouldn't have problems as you restore it (except in the case of bugs). Then the best way is to try to save a partition to know if it is possible. If not, try to defragment it with diskeeper or another tool, and try to saving the partition again.

Etc