?
Solved

Hard drive image without changing original in anyway way - best approach?

Posted on 2010-01-10
52
Medium Priority
?
684 Views
Last Modified: 2013-12-01
Hi,

We have a legal case where we need to take a clone of a laptop hard drive without making any changes to that hard drive.

Therefore it must be like when we are finished with the original hard drive, it must be in the EXACT same state that it was before the clone operation as if it has not even been started.

My initial assumption is this is acheiveable but I would like a second opinion.

My thoughts are we proceed as so:

1) Remote the hard drive from laptop and place into external caddy.
2) Find a suitable hard drive image program (suggestions welcome) that can take an image of the hard drive (as if backing it up - but in a non changing way)
3) Once we have made the clone, place that onto another hard drive that can be explored at will and the files examined without risk of damaging them.


Note if it helps this is for a legal case. The legal team want to maintain the original evidence intact and unchanged should it be required. The clone allows them to explore if the drive has evidence without making changes to the original.



Any comments (or recommended best tools)?
0
Comment
Question by:afflik1923
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 15
  • 9
  • 8
  • +8
52 Comments
 
LVL 1

Accepted Solution

by:
Randomuser456 earned 200 total points
ID: 26279923
I would use a linux boot disk and mount the hard disk as read only, and copy it bit for bit with dd. This will get an exact clone of the disk, and would in my mind be the best for use in a legal court as it will not (and cannot) change anything read off the disk or change the original disk.

I would video myself doing it as well as all the commands just to cover myself. In fact I would probably get a specialised service to do it for me even if it costs money, an independent third party if you will.
0
 
LVL 1

Expert Comment

by:Randomuser456
ID: 26279929
Also have somebody watch you do it (like the lawyer) so you don't get accused of doing anything dodgy.
0
 

Author Comment

by:afflik1923
ID: 26279932
I am the indpenent third party being asked to do this ;)
Hence want to get it right. being asked by layers though so they should know whether worth videoing.

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:afflik1923
ID: 26279936
However, I would like an easy way of doing this rather then Linux which I'm not familar with.
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 200 total points
ID: 26279938
Ghost, now Symantec/Norton, sets the standard for drive imaging, http://www.symantec.com/norton/ghost.

However I do agree with Randomuser&, get a CERTIFIED 3rd party to create an image for you.  Of course do NOT boot the PC under its own OS.

In fact what I would suggest is that unless you really need the data back on that computer, remove the hard drive, get a brand new one for the computer and rebuild the computer.
0
 
LVL 14

Assisted Solution

by:charlestasse
charlestasse earned 200 total points
ID: 26280039
I have gone through this situation a few times myself. Symantec Ghost offers you the ability to grab an exact image and then when needed for the lawyers you can expose or extract the image files at will to any storage device.
This meets you and your lawyers requirement
0
 

Author Comment

by:afflik1923
ID: 26280044
Does Ghost really set the standard ? I remember hearing some bad things about it recently. Even Amazon reviews of the consumer version were bad for a while if I remember looking into it a few years ago and I was forever put off (And went for Acronis - which did let me down in some cases)
0
 
LVL 14

Expert Comment

by:charlestasse
ID: 26280073
I can't say if Ghost sets the standard or not, but it did meet the requirements for more than one multi million dollar law suit that i worked on. In one instance I had to Ghost 250 systems and provide 4.8 TB of data, I was more than comfortable in court defending the proceedure.
0
 
LVL 1

Expert Comment

by:Randomuser456
ID: 26280094
This previous post may assist somewhat.
http://www.experts-exchange.com/Security/Misc/Q_21404821.html

0
 
LVL 1

Expert Comment

by:Randomuser456
ID: 26280108
0
 
LVL 5

Assisted Solution

by:jdcomp
jdcomp earned 400 total points
ID: 26280123
Acronis software should allow you to compleate you requirements.

ww.acronis.com

Install acronis on your PC and create a bootable acronis CD, get an external hard drive with anought size to save the image from the laptop.

Boot the laptop with the acronis CD and the external drive connected to it, create the image of the laptop hard drive and place it on the external one.

When you connect the external hard drive to you PC you should be able to explore the files on the image and export them to whereever you want

0
 
LVL 26

Expert Comment

by:akahan
ID: 26280583
You've already blown it.  If you're the independent expert who's  making the copy, the fact that you asked this elementary question online will come out in your deposition, and you'll be torn to bits, either on the spot in your deposition, or at trial; "some expert."  

At this point, it would be a disservice to your client to continue.  You should contact a professional digital forensics outfit, and let them do the job.  They will have both the legal and technical expertise to survive the inevitable questions about chain of custody, etc., which you don't/won't.

I don't mean to be insulting, but there's more to forensics that will stand up to cross examination than the mere technical ability to make a bit-for-bit copy.  

Consider recommending something like http://www.krollontrack.com/ to your client.

0
 
LVL 47

Assisted Solution

by:noxcho
noxcho earned 400 total points
ID: 26281310
My guinea is here: Drive Copy 9.0 that can work both in installed and booted from CD modes: http://www.paragon-software.com/home/dc-personal/
Allows you creation of sector per sector clone of HDD so exact state of the drive will be done.
Note, your copy target drive must be same or bigger size as copy source drive.
0
 
LVL 92

Assisted Solution

by:nobus
nobus earned 200 total points
ID: 26281726
for a commercial soft, i use Acronis true image : www.acronis.com
a free tool is drive image xml : http://www.runtime.org/driveimage-xml.htm
both will do what you want -  and don't change the drive in question !
0
 
LVL 14

Assisted Solution

by:TedInAK
TedInAK earned 200 total points
ID: 26285270
To all the Experts who recommend using a boot CD and boot from the computer at issue is not, in my opinion, a good choice seeing as this is a legal case.

The utmost care must be made to keep the drive in a pristine state.  Trusting to chance that the CD will boot as desired is not as safe as having the drive removed, preferably by an A+ certified technician and then having that drive re-installed in another system, at which time the drive can be more safely (again, in my opinion) cloned.

Pro's to this method:
 - If BIOS isn't set to boot from CD, the drive in question would by default boot;
 - If the CD drive is set to boot but for whatever reason the CD wasn't readable, again the drive will default. I've personally had this happen with a legal copy of Win7 RC.  Probably a BIOS problem in my computer, but it would try to boot and then show a message --- and this is the approximate error message --- Cannot boot from CD - error ? (5, I think).  But when I installed a boot manager that allowed me to boot from CD, it loaded up just fine.  Go figure.

Con's:
 - The tech could conceivably damage the drive during removal / install, though a highly unlikely occurrence if the tech is worth his/her salt.  While I'm not certified, I've installed scores and never had a problem, not even an RMA.
 - I'm sure there are other con's, but can't think of any at the moment.
0
 
LVL 92

Expert Comment

by:nobus
ID: 26285422
i don' t see what removing the drive, and connecting it to another pc changes in the boot priority ...
furthermore - he's moving the drive to an external caddy -  so it won't boot from it

if i'm wrong, correct me..
0
 
LVL 25

Assisted Solution

by:madunix
madunix earned 200 total points
ID: 26286539
my list:

Paragon Drive Copy is a cutting-edge solution to deploy new hard drive, migrate data and applications online, create bootable backup copy of a hard drive or its partitions. Paragon Drive Copy is based on innovative Hot Copy? technology. Due to this technology all your applications remain online during data migration without significant performance delays. Easy to manage and understand interface in Windows XP style, unique One Button Copy Wizard, platform independent Drive Copy CD, automatic transferred partition resizing, wide hardware support (including USB, FireWire hard drives) make Drive Copy an ideal solution for the full spectrum of disk cloning operations.

Secura Backup is powerful professional backup software designed to automate 128 bit encrypted backups to local drives, network paths, FTP sites, CD/DVD discs, and E-Mail addresses.


Acronis Backup & Recovery 10 Workstation is the next generation of the Acronis True Image disaster recovery product for small enterprise environments. Built to protect the intellectual property that resides in business desktops and laptops, Acronis Backup & Recovery 10 Workstation combines optimized data protection and ease-of-use. It creates an exact disk image of your office workstation and backs up the operating system, applications, key data files and folders.

Norton Ghost 15 is a robust and professional-grade backup solution for both home users and small businesses. With Norton Ghost, lost or damaged files can be recovered and restored in the event of a system failure, even if the computer's operating system does not start. It also allows backup of an entire system or specific files and folders while saving recovery points to offsite locations using FTP. Norton Ghost is also flexible, allowing users to decide when to back up their system, either on a schedule or based on an event.

Drive Clone Pro
Back up your computer and protect everything important to you
* Creates an exact copy of a PC for a full backup or back up only selected important data
* System Snapshot backs up the computer in a mere 5-10 seconds
* Migrate to Bigger Hard Drive, or New PC with a few Clicks

Mondo Rescue is a GPL disaster recovery solution. It supports Linux (i386, x86_64, ia64) and FreeBSD (i386). It's packaged for multiple distributions (RedHat, RHEL, SuSE, SLES, Mandriva, Debian, Gentoo).

clonezilla
# Free (GPL) Software.
# Filesystem supported: ext2, ext3, ext4, reiserfs, xfs, jfs of GNU/Linux, FAT, NTFS of MS Windows, and HFS+ of Mac OS. Therefore you can clone GNU/Linux, MS windows and Intel-based Mac OS, no matter it's 32-bit (x86) or 64-bit (x86-64) OS. For these file systems, only used blocks in partition are saved and restored. For unsupported file system, sector-to-sector copy is done by dd in Clonezilla.
# LVM2 (LVM version 1 is not) under GNU/Linux is supported.
# Multicast is supported in Clonezilla SE, which is suitable for massively clone. You can also remotely use it to save or restore a bunch of computers if PXE and Wake-on-LAN are supported in your clients.


Partimage is an opensource disk backup software software for Linux. It saves partitions having a supported filesystem to an image file. Most Linux and Windows filesystems are supported. The image file can be compressed with the gzip / bzip2 programs to save disk space, and they can be splitted into multiple files to be copied on CDs / DVDs, ...


The goals of the Linux-NTFS project are to develop reliable and full feature access to NTFS by the Linux kernel driver and by a user space driver (ntfsmount), and to provide a wide collection of NTFS utilities and a developer's library for other GPLed programs. We have already achieved a lot, with high quality results.

and others ....

madunix
0
 
LVL 47

Expert Comment

by:noxcho
ID: 26286706
I agree with nobus here, removing drive and putting it into USB caddy will not cause any change to the drive.
0
 
LVL 14

Expert Comment

by:TedInAK
ID: 26289585
@nobus:

My comment wasn't directed at any one expert, but towards those who recommended *just* using a boot CD (and not taking the extra step of removing to an external enclosure).  My post was partially motivated by  the person who posted immediately before me...which oddly now has disappeared...name started with an A (I think) and was somewhat long, at least 9-10 characters. At the time of my writing, his/her post appeared after yours, but by the time I finished typing that post was removed.  I merely wanted to point out the riskiness of relying on using a boot CD on a computer that absolutely cannot risk being booted off of.
0
 
LVL 14

Expert Comment

by:TedInAK
ID: 26289669

<sheepish_grin>
  I also forgot (since originally reading this Q when it
  was written) that the Asker was thinking about removing
  the drive to an external enclosure...and somehow missed
  that when skimming over this thread before posting.
</sheepish_grin>

Open in new window

0
 
LVL 92

Expert Comment

by:nobus
ID: 26290924
no problem, i just felt confused (as i posted)
0
 
LVL 57

Expert Comment

by:giltjr
ID: 26292799
Another option would be to go into the BIOS configuration and remove the hard drive of the boot sequence options.  Only allow USB/CDROM/Floppy (yes some of us still use floppies every now and then).
0
 
LVL 1

Expert Comment

by:sudhakaral
ID: 26389048
Hi

I prefer BartPe for this

Steps to follow
1) Install the BartPe (and make a bootable drive)
2) Take the original Drive which has to be cloned and any External HDD
3) After Booting with Bart Pe there is a option called Hard disk to image
4) Select the original Drive which has to be cloned as a source and give the name of the file in the external HDD
5) Use the compress mode which will reduce the size of the data of the original disk
6) As per the security purpose no one can read the data in the .GHO format file unless it is blow on to a HDD and boot the System

Contact for more info

Thanks
Sudhakar A

0
 
LVL 92

Expert Comment

by:nobus
ID: 26391008
it is about time for some feedback,  no?
0
 

Author Comment

by:afflik1923
ID: 26536904
will update soon sorry.
0
 

Author Comment

by:afflik1923
ID: 27603007
OK this was quite  hot topic it seems. I was thinkig of using this device:

http://www.lindy.co.uk/usb-2-esata-docking-cloning-station-for-25-35-sata-hard-drives/42797.html#eDescription

but wondered if anyone had used it or had experiance of this device. Looks like it could be a useful edition to my tool kit.


0
 
LVL 92

Expert Comment

by:nobus
ID: 27604902
looks nice to me
0
 
LVL 47

Assisted Solution

by:noxcho
noxcho earned 400 total points
ID: 27605292
0
 

Author Comment

by:afflik1923
ID: 27606721
Hnmmm, not good tht it stoped working noxcho. How long had you had it? Did you follow it up with Lindy?
0
 
LVL 47

Expert Comment

by:noxcho
ID: 27606975
It worked for 2.5-3 months. Did not worked with their support as I had not time for it. My assumption was that dust collector (how I named it =) ) collected critical mass of dast and then once made a shortage. It looks nice but vertical drive docking is not not practical IMHO.
0
 

Author Comment

by:afflik1923
ID: 27607048
OK I'm still talking hypothetically here but this is likley the case. I receive the laptop without a power supply so I will definetly need to remove the hard drive.

I will place this into a USB / esata caddy (probably USB)

Using another PC I will attach source system external drive that I want to clone and also a new blank hard drive also via USB. I will then use whatever chosen software to copy from the source drive to the destination. Obviously I want to be 100% sure these do not get mixed up and I want as many fail safes as possibl

I just want to be 100% that at no time original hard drive gets written to. This is good enough in this case. As long as the Vista laptop I'm attaching to only looks at and never writes to the source drive I should be fine.

I've been looking at your suggestions and I'm curretnly thinkign either Acronis or Norton.
I already have a copy of Acronis Workstation Echo, but I did have a little trouble with it when I used it about 2 - 3 years ago (support finally resolved but they had to actually make a new build of the software which I had to download - an off putting experiance but at least they did finally refund my premium support payment).

This Acronis product has been superceeded so I would probably need to upgrade to the latest anyway.

So any final suggestions?

0
 
LVL 47

Expert Comment

by:noxcho
ID: 27607366
You have software. Check if it is Vista compatible and if yes follow your steps. Nothing ot add there.
As soon as you complete the cloning exchange the drives and boot from new one.
Practically it causes no problems and works fine.
0
 

Author Comment

by:afflik1923
ID: 27607476
OK noxcho,
So you are saying to stick with my existing Acronis Worksation software, just make sure I've got the latest revision and then do it from that?

Will it be OK that the drive I'm cloning and cloning too are both external?

Do you think it will be fine in that it wont make a single 0 or 1 change to the original hard drive?

I know I'm repeating myself a little,but just want to be sure.

You know I might even have an XP PC I can do this on and then it will definelty work.
0
 
LVL 5

Assisted Solution

by:jdcomp
jdcomp earned 400 total points
ID: 27607643
I do this almost on a daily basis and my software of choise is acronis, currently I use acronis works station 9 with universal restore, can make images from hard drives attach to an external USB caddy without any trouble ( as long as the drive is in good physical conditions).

Have this version of acronis work on XP and vista

What's good with acronis is that after making the image if you need to extract expecific files from the image you are able to do it without affecting the original image back up.

To make my self clear, for exempl. if you need to grab folder A located in side my documents folder you can extract the contents of it in to you PC without changing or affecting the original image and without the need of the original drive.

Good luck
0
 
LVL 5

Expert Comment

by:jdcomp
ID: 27607669
Oh by the way it is no problem that both drives the original and the one you are putting the image to are external.

My suggestion, intean of cloning the drive just create a full backup image of it then that image can be restore and clone in to any other drive
0
 
LVL 47

Expert Comment

by:noxcho
ID: 27607791
Frankly speaking I do not see any reason to get new software and pay unnecessary founds if your current software copy is capable to do this copy. The fact that both HDDs are connected via External USB enclosures does not bring anything to the configuration. They are treated by Windows same way - local HDDs.
Frankly speaking I lost once trust in Acronis True Image and since then use Paragon and Ghost products. But this is my choice.
Clone the HDDs and try to boot. If you have any problem I will help you. And sure the clone operation must not write anything to your original drive.
0
 
LVL 92

Expert Comment

by:nobus
ID: 27607883
i use Acronis for some years now - which is fine for me, never trouble.
0
 

Author Comment

by:afflik1923
ID: 27608243
Many thanks. I'm going to go wiht what I have and also just downloaded the latest build from Acronis from their support website (Dec 2009 build)
Will install onto a Vista laptop and run it from there.

To be clear my version is (I also had universal restore optoin)
Acronis True Image Echo Workstation Build 8398

Does not actually give a version number.
0
 
LVL 5

Expert Comment

by:jdcomp
ID: 27608288
You should be fine using acronis, like I said before I suggest making a full backup instead of direct clonning

If you make a mistake cloning and choose the wrong drive ( regardless what software you use ) it could be irreversible

Good luck
0
 

Author Comment

by:afflik1923
ID: 27616299
ahhh, I seem to get nothing but trouble with Acronis. Out of the three ACronis backups I started yesterday all 3 failed.

OK 1 of them may have been not enoguh space on the destination but I was hoping that the the 90GB backup would compress ino the 75GB image.

As for my own laptop, I downloaded the latest trial of Backup and REcovery Worksation 10 and it faied the backup of my main partiation saying there is probably sector damage to my original hard disk. I will obvioulsy cehck this with a seagate checking tool, but this is the sort of thing I used to get before all the time.

As for the main backup of the main hard rie I'm trying to backup, it got to a point where it reported a write error on a brandnew Seagate hard drive. The drive was unshrink wrapped especially for this job. I did not partiation it or anything first, it was raw unallocted space and I used the disk clone facilty of Acronis and  received the attached error message.

Each time I pressed ignore, it just moved the sector along. Finally I pressed ignore all, and rather then theremaining time decrease, it it by bit keeps increasing by 1 minute.


I think almost every time I have used Acronis it has found sector errors for me and failed. Am I just unlucky or is Acronis just great at picking up hard drive errors???

Boo hoo.

AcronisErrorCapture.JPG
0
 
LVL 47

Expert Comment

by:noxcho
ID: 27616448
Try the same thing with Paragon Drive Backup 10 Professional trial version: www.drive-backup.com
I can read their log data on professional level so can give you some clues if any problem reported. If you select Best Compression level it will give you same comression results as Acronis.
And I did sucessfully migrate my workstation machine to Lenovo R61 laptop two weeks ago. No problem so far.
0
 

Author Comment

by:afflik1923
ID: 27616775
OK heres my current plan.
New drive I've connected to another PC via USB and I'm using Seagate tools to analyse.

At present running a long generic test (it says it cannot run the self tests)

I'm using an exsiting 500GB hard drivewhich I just wiped and is 3.5" and I'm trying the acronis operation again using that drive again. This time it has gone down to a DOS type screen as it said it needed to prepare the hard drive first because it had data on it.

That is progressing.

My own laptop system (I know this is another subject but just throwing it in there) fails Seagate tools
Short Drive Self Test and the Long version but I have no details yet. Somethig in the guide suggests trying this at Dos level if this happens which I will.
0
 
LVL 47

Expert Comment

by:noxcho
ID: 27617225
Looks like you have collected a pack of failing drives there and trying to make them work =)))))
0
 
LVL 5

Expert Comment

by:jdcomp
ID: 27617781
It seems  you have either a bad drive or a bad usb adapter
0
 

Author Comment

by:afflik1923
ID: 27618357
Yes, I seem to be unlucky. This seagate in my Dell XPSM1330 is only about 4 months old when I replaced a Western Digital from the same laptop (originally discovered those isses becasue Acronis would not back it up) but the system was working fine as far as I knew. Ran the WD test and it failed test and neede to be RMA'd.

I can't beleive I might have another one, AND another i bought brand new today also seems to be a semi DOA.

Or is it Acronis breaking all these drives?????? The common factor is Acronis
0
 
LVL 47

Expert Comment

by:noxcho
ID: 27618416
Or your HDD controller could be a problem.
Connect the drive to another machine and try to test it. I have a WD 250GB drive from Acer Aspire laptop brought to me as bad. WD tools reported it failed and strongly recommended to replace. But on my machine it worked and passed all checks =)))) So I have more storage for free.
Seriously if one laptop reports problems on three drives already this is something more than bad luck.
0
 
LVL 5

Expert Comment

by:jdcomp
ID: 27618476
Don't have this issues often with acronis.

I have one drive I use to create images and store them for a period of time, the drive is a 400GB and I use it like I said before constanly, I get more errors from the drive I am trying to image that from the one I am putting the image in to.
Most of the time I am able to ignore the error and later restore the image to another new drive without difficulty.

Do you have another usb caddy you can try???
0
 

Author Comment

by:afflik1923
ID: 27618503
I just bought 5 caddys. Akasa are my prefferd brand (maybe they shoudl not be)
When he WD died from my own laptop, I did test it from another PC and it was defo failed.

anyway, off to another job, will be back to this adventure soon.

Thanks so far.
0
 
LVL 92

Expert Comment

by:nobus
ID: 27618698
it looks impossible - so many failing drives
i suggest :
-test the drive(s) on another working PC with the proper diagnostic tool.
-personally; when i have doubtful drives, ir un HDDRegenerator over them : http://www.dposoft.net/
then i lable them as HDDReg passed !
 
0
 

Author Comment

by:afflik1923
ID: 27622743
OK well clone to my older hard drive seemed to work OK. Note one diffeernce was that it went down to os level to do it as it has to remote partitions from my old hard drive first. then entire operation was completd in a DOS style screen.

Then I tried a clone of the newly created clone, onto the new hard drive which originally Acronis reported a problem with (but passed the long seagate test). This time however I done q cuick format and gave the new drive a partition first so it coudl be seen from Windows. This time Acronis went to the Dos level again and it seemed to work.
I now have two clones. I'm now also creating a normal acronis backup of one of the clones so that I can explore this still without making changes to my original clones and put these files on a smaller device.

So it LOOKS like I'm getting there! I will close this thread soon but I do want to go through to full completion first.

Many thanks
0
 
LVL 92

Expert Comment

by:nobus
ID: 27625215
i suggest you read about HDD regenerator on the site i linked to !
0
 

Author Closing Comment

by:afflik1923
ID: 31675292
Somany comments here I hope I@ve given a good distrubition of points for the answers.

Did endup using Acronis for the origianl clonenad all seemed to go well but as you can see it was a very long winded process to get there and a few digressions on the way.
Many thanks for all the input.
0

Featured Post

Does Your Cloud Backup Use Blockchain Technology?

Blockchain technology has already revolutionized finance thanks to Bitcoin. Now it's disrupting other areas, including the realm of data protection. Learn how blockchain is now being used to authenticate backup files and keep them safe from hackers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A Bare Metal Image backup allows for the restore of an entire system to a similar or dissimilar hardware. They are highly useful for migrations and disaster recovery. Bare Metal Image backups support Full and Incremental backups. Differential backup…
Workplace bullying has increased with the use of email and social media. Retain evidence of this with email archiving to protect your employees.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question