Thursday, January 31, 2013

Backtrack Forensics: safecopy

Menu: Forensics -> Forensic Carving Tools
Directory: /usr/local/bin/safecopy
Official Website: http://safecopy.sourceforge.net/
License: GNU GLP v2

safecopy is a data recovery tool which tries to extract as much data as possible from a seekable but problematic (i.e., damaged sectors) source like floppy drives, hard disk partitions, CDs, etc., where other tools like dd would fail due to I/O errors. It can do multiple runs on a bad disk, first will try to extract easily accessible, error free data, and make not of the bad sectors. On the next run, it will retry the bad sectors multiple time, with better resolution. This is what their default example shows as well:

Safecopy 1.6 by CorvusCorax
Usage: safecopy [options] source target
Options:
--stage1 : Preset to rescue most of the data fast,
using no retries and avoiding bad areas.
Presets: -f 10% -r 10% -R 1 -Z 0 -L 2 -M BaDbLoCk
-o stage1.badblocks
--stage2 : Preset to rescue more data, using no retries
but searching for exact ends of bad areas.
Presets: -f 128* -r 1* -R 1 -Z 0 -L 2
-I stage1.badblocks
-o stage2.badblocks
--stage3 : Preset to rescue everything that can be rescued
using maximum retries, head realignment tricks
and low level access.
Presets: -f 1* -r 1* -R 4 -Z 1 -L 2
-I stage2.badblocks
-o stage3.badblocks
All stage presets can be overridden by individual options.

There are many more options, we can set retries (-R), create a bad block file output (-o), and use it later as an input (-I). We can also mark the bad areas with a special string (-M) instead of zeros, thus we can find those locations more easily later.

As I don't have any damaged media, I just did a simple run:
safecopy /dev/sdc sdc1.img


No comments: