What do you do when you have bad sectors in a disk image?
625 views
Skip to first unread message
Creighton Barrett
Mar 20, 2017, 12:11:07 PM3/20/17
to digital-...@googlegroups.com
Hi everyone,
What steps do you take if your imaging software reports that there are bad sectors in a disk image?This is the first time we've encountered bad sectors and I thought perhaps I had a bad connection to the forensic bridge, so I changed cables and tried again. This time, the validation report showed several hundred bad sectors. So then I switched back to the original cable and tried a third time, also propping the hard drive in a different manner. This attempt produced fewer bad sectors than the first attempt. But in each attempt, I am seeing *different* bad sectors. There is a little bit of overlap, but the fact that I am getting different results in each attempt suggests that there may be issues with the cables, the adapters, or the equipment operator.... ;)
How do you handle these situations? How many attempts would you run? I realize bad sectors can be fairly common and, in this particular case, represents a tiny amount of data. But we are writing documentation and I'd like to set up some basic instructions for our staff if they encounter bad sectors in an image.
Thanks, as always!
Creighton
Peter B.
Mar 20, 2017, 3:39:51 PM3/20/17
to Digital Curation
Dear Creighton,
I've never used FTK Imager before.
If I encounter bad sectors, I usually continue and finish the dd-extraction and then try a 2nd run.
Exactly like you did, with different cables/controller/etc - to make sure it's the disk's fault.
If the bad sectors are identical:
I just keep the list of badblocks for documentation and continue whatever forensics work I was planning.
If the bad sectors are changing (like in your case):
First of all, I'd try the whole process on a completely different computer. Just to make sure it's not the reading PC that's at fault.
Every PC I'm using for this, I run memtest86 at least once before. To make sure that data pipeline is working correctly.
If the badblocks keep "moving", I'd suggest taking at least 3 images.
Now, depending on if you want to do attempt recovery, you either choose the image with the least bad blocks.
And of course keep the badblocks-list as documentation with the chosen image.
OR:
Using a binary-diff tool (e.g. vbindiff. Works with large files) in combination with the badblocks-list for each image and then try to do cherry-pick the block from an image where its not marked as badblock.
Never done this before on a disk (just files) though...
Just my 2 cents :)
Creighton Barrett
Mar 21, 2017, 11:01:46 AM3/21/17
to digital-...@googlegroups.com
Dear Peter,
Thanks for these suggestions! So many tools out there... Using a tool like vbindiff to cherry-pick sectors is really intriguing (in the case, the bad sectors are "moving"), but it's beyond the scope of what we can reasonably do given the bad sectors represent a tiny amount of data. I was wondering, though, if something like that was even possible! We will, however, try another attempt using different imaging software like Guymager or
the Tableau software that came with our forensic bridge. Thanks for the tip about memtest86. Everything else has been working fine on this machine, so I doubt that the computer is at fault, but it's a nice tool to know about.--
You received this message because you are subscribed to the Google Groups "Digital Curation" group.
To unsubscribe from this group and stop receiving emails from it, send an email to digital-curation+unsubscribe@googlegroups.com.
To post to this group, send email to digital-curation@googlegroups.com.
Visit this group at https://groups.google.com/group/digital-curation.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages