Cloning and Verifying Physical Disks in Linux Ubuntu 12.04

    Whether you need to make a forensic copy of an evidence drive for analysis, or restore a drive to look at the computer in a live manner, at one point or another you are probably going to find yourself needing to clone a drive.  Cloning a drive differs from imaging, in which cloning uses a target drive to make an exact duplicate of the original drive.

    A properly cloned drive is a drive that contains each and every byte of the original media in the same order as it was on the original media.  The target drive is hashed and verified to have the same hash value as the original.  If both drives contain the exact same bit patterns they should hash to the same value if the same hashing algorithm is used.  Properly cloned drives can be verified through the use of the md5 hashing algorithm.     

   In this article we are going to use dd to clone and verify a drive.  We will be doing it using Linux Ubuntu 12.04.  You can use a Live CD of Ubuntu to accomplish this task, but for the purposes of this article I used an examination computer with Ubuntu 12.04 installed on it.

The plan:

   The plan is to conduct the steps that will lead to a properly cloned drive.  We are going to hash drive A and record its results.  We will then clone drive A to drive B, and finally we will hash drive B and compare those results to the results of drive A.  All of the tools that we are going to use are in Ubuntu by default, so there is no need to install any other tools.  

The test:

   For the test I will be cloning a 256MB flash drive to a 2GB flash drive.  The 256MB flash drive will be our original drive and the 2GB will be our target drive.  When cloning drives, the target drive must be of equal or greater size than the original drive.

   I first connected the original drive to a USB port and then the target drive.  I did not write-block either of the drives.  If you do not have a write-blocker handy, you do not have to use one either, just remember to never connect evidence media to a computer without the use of a previously validated write-blocking procedure.          

   Since we are going to be adding data to our target media, we should sterilize it.  Sterilizing a drive is the process of writing a known hex value to every sector of a piece of media so that it can overwrite any and all data that previously resided on that piece of media.  For the purposes of this article, we will be using the program Shred.  Shred is only run from the command line.  Make sure your target media is inserted into the computer and open a Terminal Window.  In Ubuntu you can accomplish this by pressing Ctrl-Alt-T at the same time or by going to the Dash Home and typing in “terminal”. 

   Once the terminal window is open, Type the following into the terminal to determine which letter Ubuntu assigned to the target media.

sudo fdisk -l

   Fdisk is a partition table manipulator for Linux.  The flag -l tells fdisk to list the partition table.  Sudo gives fdisk superuser privileges for the operations.  Press enter and type your root password (if needed).

    Ubuntu assigned the original drive as SDB and the target drive as SDC.  SDC1 is the partition currently stored on the target drive.  Do not pay much attention to it, we will be wiping shortly.  Missing from the screenshot is SDA, which is my internal HDD.  SDA is my internal drive with Ubuntu installed on it.  

   Now that we know the target's drive assignment, type the following into the terminal to wipe/sterilize it.  

sudo shred -v -n 0 -z /dev/sdc

   Shred is the wiping program.  The flag -v shows the progress, the flag -n  overwrites with random data “n” amount of times instead of the default 3.  I wrote a 0, because I didn't want to overwrite the drive with random data.  The -z flag adds a final overwrite with zeros to hide shredding.  For the purposes of this test one overwrite with zeros is all that we need.  Dev/sdc is the target media.  Sudo gives shred superuser privileges for the operations.  Press enter and type your root password (if needed).

continued

   To verify that our wiping program wrote zeros to the drive we will use the xxd command with the autoskip option.  The output of the command on a drive that has been written with zeros should be only three lines.  The first line should be the starting offset followed by row of zeros, the second line will be an asterisk (*) to indicate identical lines, and the third line should be the starting offset of the final line, also followed by a row of zeros.  If the drive contains anything other than zeros, the data will be displayed.  Type the following into the terminal to verify that the target drive was properly wiped.

sudo xxd -a /dev/sdc

   Xxd is the command to make a hexdump.  The flag -a is the autoskip option.  Dev/sdc is the target drive.  Sudo gives xxd  superuser privileges for the operations.  Press enter and type your root password (if needed).

    The target drive has been properly wiped and verified.

    We are almost ready to clone the original drive to the target drive, but prior to the cloning, we need to calculate the data on the original drive so that we can compare it to the data on the target drive.  This will be a two step process.  First we will conduct an md5 sum of the original drive and then we need to figure out how many sectors are contained on the original drive.  Type the following into the terminal to conduct an md5 sum of the original media.  

sudo md5sum /dev/sdb 

    Depending on the size of your media, the md5sum may take minutes or hours.  It only took two minutes to receive results for my 256MB drive.  These are my results.

    The MD5 of the original media is a968321c8477b95aad20aa9f6480a624.  Take a moment to write it down we will have to refer back to it at a later time.

    Type the following into the terminal to determine how many sectors are in the original media.

sudo hdparm /dev/sdb

    The original media contains 499712 sectors on it.

    It is now time to clone all of the data on the original drive to the target drive.  Type the following into the terminal.

sudo dd if=/dev/sdb of=/dev/sdc 

   Dd is a common Linux program whose primary purpose is the low level copying and conversion of raw data.  The if= tells dd to read from drive, and the of= tells dd to write to drive.  Sudo gives dd superuser privileges for the operations.  This action will copy all the sectors on the original drive to the target drive.  Press enter and type your root password (if needed).

    All of the data was copied successfully.  The final step is to verify that the data on the target drive matches the data from the original drive.  We will accomplish this by conducting an md5 sum of the target drive only on the amount of sectors that were contained on the original drive.   Type the following into the terminal.

sudo dd if=/dev/sdc bs=512 count=499712 | md5sum

     Dd will read from dev/sdc, which is the target drive.  Bs will tell dd to only read blocks of 512 bytes at a time. Count will tell dd to read those blocks only 499712 times.  The “|” is known as a pipe.  A pipe is a technique in Linux for passing information from one program process to another.  In essence, we are telling dd to only look at a specific area of the target drive and send those results to md5sum, which will hash only that area.  Sudo gives dd superuser privileges for the operations.  Press enter and type your root password (if needed).

    These are the results.  Notice that the md5 (a968321c8477b95aad20aa9f6480a624) matches.  

Conclusion:  

    We have successfully cloned the original drive to the target drive and verified it.  Dd is a powerful and free tool that can help you clone drives when you need to.  

    If this procedure worked for your case, and you are able to use it in the course of your investigation, we would like to hear from you.  Please post your comments or email the author of this article at carlos@epyxforensics.com     

 

 

 

 

 

Comments

1

Nice work Carlos! Most of the time I'm just concerned about getting the old disk image blown onto a new drive. I run a "verify" afterwards on the new disk, but there's usually only a screen that says the "verify" was good/successful. Here you've presented a method to verify that not only did the clone work as expected, and you have the MD5 evidence to prove it.

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Enter the characters shown in the image.