Backtrack Forensics: ddrescue & dd_rescue

Forensics -> Forensic Imaging Tools

/pentest/forensics/ddrescue/dd_rescue

/sbin/ddrescue

Both tools are intended to copy one file or block device (HDD, pendrive, etc...) to another while trying to recover data. Basically both can do the same, but the syntax is a bit different.

dd_rescue switches to a smaller block size (down to 512 bytes) when it finds errors on a specified media, and then skips the error sectors. This way it will restore the most it can. It will not abort operation when finds an error by default. An interesting feature that it can read the media backwards.

dd_rescue examples

dd_rescue infile outfile

dd_rescue /dev/sdb hdd.dd - basic copy

dd_rescue -l logfile.txt /dev/sdb hdd.dd - specifying a logfile as well
dd_rescue -e 3 -l logfile.txt /dev/sdb hdd.dd - stop after 3 errors
dd_rescue -r -e 3 -l logfile.txt /dev/sdb hdd.dd - image in reverse copy

ddrescue can do the same basically, but I haven't found a reverse read option. If it is stopped from some reason it can restart the copy from the last block, based on the logfile. At the end we can see "+/-" signs next to the blocks. + means it was good - means it contained errors.

ddrescue examples:

ddrescue [options] infile outfile [logfile]

dd_rescue /dev/sdb hdd.dd - basic copy

dd_rescue /dev/sdb hdd.dd log.txt - write a log

dd_rescue -e 3 /dev/sdb hdd.dd log.txt - stop after 3 errors
dd_rescue -v -e 3 /dev/sdb hdd.dd log.txt - verbose mode

Official Websites:

http://www.gnu.org/software/ddrescue/ddrescue.html

http://www.garloff.de/kurt/linux/ddrescue/