Forwarded from 0% Privacy
|It's raw and crumpled, but we'll pull it out|
🕵️♂️This short post is dedicated to open source tools that are used to bitwise copy data from a disk or volume that is stored in one or more files using various low-level methods (RawCopy in the common people).
⚙️RawCopy is a popular tool for copying files from NTFS volumes (reading is carried out thanks to the low-level method), I advise you to use it carefully, since problems in the logic of extracting data from the media have been identified for a long time.
⚙️RawDiskCopier - a tool for copying data from one hard drive to another(as originally planned, solid-state drives are also possible if desired), sometimes it does not work badly with faulty hard drives (damaged sectors, respectively, the time spent on copying data depends on the number of such sectors due to re-reading sector by sector and error handling logic provided for when designing the hard drive)
⚙️ntfsDump - copying files from a volume from an NTFS partition occurs by reading a raw volume (a descriptor opens to read the volume completely) and parsing/analyzing NTFS structures. It is clear that in order to work correctly, you need to run from under the admin (for bypass: DACL, blocking read descriptors, SACL, etc.).
⚙️rawccopy is essentially a C-ported version of RawCopy, only covering some bugs. But after reading it, I realized that the difference is big and the extraction logic itself has been redesigned (RawCopy), also the command line processing is more "correct", a simple example: you can compare how RawCopy and rawccopy indexes are processed, that in the first case we get a limit on the number of digits in the hard/volume/partition index(in the
#DFIR #forensics #RawCopy #diskReading #NTFS
🕵️♂️This short post is dedicated to open source tools that are used to bitwise copy data from a disk or volume that is stored in one or more files using various low-level methods (RawCopy in the common people).
⚙️RawCopy is a popular tool for copying files from NTFS volumes (reading is carried out thanks to the low-level method), I advise you to use it carefully, since problems in the logic of extracting data from the media have been identified for a long time.
⚙️RawDiskCopier - a tool for copying data from one hard drive to another(as originally planned, solid-state drives are also possible if desired), sometimes it does not work badly with faulty hard drives (damaged sectors, respectively, the time spent on copying data depends on the number of such sectors due to re-reading sector by sector and error handling logic provided for when designing the hard drive)
⚙️ntfsDump - copying files from a volume from an NTFS partition occurs by reading a raw volume (a descriptor opens to read the volume completely) and parsing/analyzing NTFS structures. It is clear that in order to work correctly, you need to run from under the admin (for bypass: DACL, blocking read descriptors, SACL, etc.).
⚙️rawccopy is essentially a C-ported version of RawCopy, only covering some bugs. But after reading it, I realized that the difference is big and the extraction logic itself has been redesigned (RawCopy), also the command line processing is more "correct", a simple example: you can compare how RawCopy and rawccopy indexes are processed, that in the first case we get a limit on the number of digits in the hard/volume/partition index(in the
/FileNamePath:) parameter , i.e. according to the specification, we can specify /FileNamePath:HarddiskVolume666, in the case of RawCopy, it will not work, and in rawccopy there are no problems with this. And what many might have encountered, RawCopy has very mediocre support for compressed files, which was solved in rawccopy and the result of the work is much more obvious and expected, although the interface for interaction has not been changed, but only inconsistencies in the Windows specification have been given in some places.#DFIR #forensics #RawCopy #diskReading #NTFS
👍1