NtImage


PURPOSE    OPERATION   COMMAND LINES   OPTIONS   RELATED PROGRAMS


Author: Dan Mares, info@dmares.com
Portions Copyright © 1998-2021 by Dan Mares and Mares and Company, LLC
Phone: 678-427-3275(fax)

One liner: Command line: Forensic image of physical drive. Create dd type image file(s).


Top

Purpose

The program is designed to be used by those needing to make a forensic copy or copies of suspect disks while running the NT or XP operating system.

Note: Whenever the word copy is used, it is intended to be used interchangeable with the word image. (unless otherwise stated).

It can be used to do any of the following:


Top

Operation

The program runs in a CMD prompt (DOS box) and obtains from the command line various user options relating to the operation of the program. Depending upon the options selected the program will do any of the prescribed operations.

In its default mode, the program will create or restore a hard drive image.

The program normally reads the information that NT has available (see Special NOTE immediately below) and makes a determination of the size of the source drive. It then calculates the size of the source drive and creates an output image file.

Under the wipe option, the user provides information as to how many passes, and what the last write character will be. The default is 1 pass of random characters.

As a seperate process, the program can also calculate hash values of the entire drive, or selected sector ranges. (If running under a windows OS, a write blocker may be called for to protect the drive from inadvertent windows writing.)


Special NOTE: The disk size information which NT provides to the program is often smaller than the actual drive size. This is because NT only wants to recognize a drive that is a fully "populated" drive on a theoretical fully translated cylinder boundary made up of 255 heads. For this reason the size and thus the total sectors reported by NT (using any of the options) are only what it (NT OS) wants the user to see. However, the program will capture all the sectors even though the NT operating system is reporting a lesser number of sectors. (the amount of sectors it can be reporting short is 1 less than a full cylinder which calculates to (254 heads * 63 sectors) + 62 sectors == 16064 sectors. (this is 1 sector less than a full cylinder).

Example calculation: lets say the drive really has 20,015,856 sectors. If we assume a full cylinder to be 63 sectors by 255 heads then a track will contain 16,065 sectors. Divide 20,015,856 by 16,065 and you get 1245 full cylinders with 14,931 sectors left over. NTIMAGE will report that NT reports total sectors of (1245 cylinders * 16065 sectors = ) 20,000,925 total sectors. Which leaves: (20,015,856 - 20,000,925 = 14931 "extra" sectors). The 14931 sectors are not enough (16,065) to make another full cylinder so the OS disregards it when reporting the geometry to the program. However, NTIMAGE when run will find all the sectors and report the proper total in the accounting or logging information.


When placing the image to an output file, the name of the output file should only contain a filename (with path if necessary) without an extension. The program creates its own unique numerical extension based on the file name. Any filename extension (if provided) is ignored. The file extensions begin at 000 and continue through the entire alphabet. (000>009 then 00A>00Z etc.).

If any of the hashes are requested, (any one, all or none can be requested), as the program reads the data from the source drive, the hash values are calculated. At the end of the run, the value is placed on the screen or in the log file (-L option). (Note: in random tests, adding the MD5 128 bit hash may double the imaging time).

If the split (-s option) is used, the output file(s) are split into maximum sizes requested by the user. The split option takes a numeric modifier to tell the program how big to make the split sizes. The file sizes calculated during the split operation are rounded to 512 byte sector boundaries. See the split option for more information on these values.

There is a special split modifier, (-s CD), which tells the program to split the output files into sizes compatable with CD rom. The output files are nominally split at about 630 Meg.

When doing a physical disk to disk copy, or restoring an image to a physical disk, the user must make certain the destination disk is large enough. Currently the program makes no checks on destination drive size.


READ ERRORS

When performing the imaging operation any read errors are reported in the logfile (if one is chosen). The section of the output file (the entire sector, 512 bytes of data) that contains the bad sector read is replaced by the word BAD followed by two numbers of the form
BAD 000000001069-000000547328...
The entire width of this sequence is 32 bytes. Where the first set of numbers represent the logical sector (from 0) that resulted in the read errer, and the 2nd set of numbers represents the byte offset (from 0) into the image that this sector relates to. The 2nd set of numbers should always be larger than the first, and should be divisible by 512 bytes.


WRITE ERRORS

Are not currently reported for the imaging operation. As it is the users responsibility to determine the destination drive is functioning properly.

For the wiping operation, write errors are reported to the screen. User should be aware, that if a cylinder is bad, it could be upwards of 16,000 bad sectors, which would elicit a message for each bad write.


SYSTEM LOCKS UP

If the user aborts the process the system may lock up and not allow access to the destination drive. Whether in the image restore process, or the wiping process. This is most likely caused by the fact that the OS has "LOCKED" the drive, and doesn't have enough sense to unlock it. This situation is usally fixed by a reboot.


Top

Command Lines

C:>ntimage -G
(show geometry of ALL the drives NT can see.)

C:>ntimage -G 0
(show geometry of physical drive 0. Drive number can be between 0 and 9.)

C:>ntimage -i a: -o c:output_file
(image the A: drive to a file called output_file. The extension will be .000

C:>ntimage -i 1 -o d:c:output_file
(image physical drive 1 (second drive, assume always, first drive is the users forensic drive C: to file "output_file".)

C:>ntimage -i 1 -o 2
(disk copy from physical 1 to physical 2)

C:>ntimage -i 1 -o d:c:output_file -c
(compress the output image file)

C:>ntimage -i 1 -o d:c:output_file -C
(calculate the 32 bit CCITT Checksum of the source drive)

C:>ntimage -i 1 -o d:c:output_file -h
(calculate the 128 bit MD5 of the source drive)

C:>ntimage -i 1 -160
(calculate the 160 bit SHA1 only, NO output file)

C:>ntimage -i 1 -o d:c:output_file -V
(show some debugging information.)

C:>ntimage -i image_file_name.000 -o 2
(restore the image_file_name.000 file to the 3rd hard drive.)

C:>ntimage -o 2
(wipe the 3rd physical drive with a single pass of randoms.)

C:>ntimage -o 2 -r 0
(wipe the 3rd physical drive with a single pass of hex 0's.)

C:>ntimage -o 2 -r 0 -w 3
(wipe the 3rd physical drive with 3 passes. The last pass being hex 0's.)

C:>ntimage -i 1 -o 2 -h
(clone drive 1 to drive 2 and perform a 128 bit MD5 hash.)

C:>ntimage -i 1 -o 2 -h -L logfile
(clone drive 1 to drive 2, perform a 128 bit MD5 hash, and create a logfile called logfile.)

C:>ntimage -i 1 -o 2 -h -L logfile -F
(clone drive 1 to drive 2, perform a 128 bit MD5 hash, and create a logfile called logfile, with backfill of 0's.)

C:>ntimage -i 1 -h -L logfile -b 63 -e 64
(drive 1 (2nd drive) perform hash on sector 63 (from 0) for 1 sector.)

C:>ntimage -i 1 -h -L logfile -b 1000 -e 2000
(hash drive 1 from sector 1000 to 2000. Ending sector is not included in hash, so a total of 1000 sectors will be processed.)

C:>ntimage -i 1 -h -L logfile -E imagefile.*
(hash RESTORED drive 1. Use imagefile.* files to calculate the total number of sectors in the image file. Then perform hash on that many sectors or the restored drive. This operation only hashes as many sectors as were in the image files.


Top

Options

-?   Get a help screen.

-i + drive    The drive is the input drive. Use A: if the input is the floppy drive. If the input is a physical disk then the physical drive number starting at 0.

-i + image_file_name.000     The drive is to be restored from this image_file_name. The .000 extension must be there, and the program will find all subsequent sequence.

-o + dr:output_filename    Output filename is the complete drive and filename (without extension) you want the output to be placed into. The output extensions are sequenced from 000.

-o + drive_number    If output is to be a physical drive (either disk to disk, or restored from image file) the output drive number should be the physical drive number starting at 0.

-AUX=drive_number   This is a special output option allowed only when using the -d outputfilename also. The -AUX=x option allows you to not only create an image file (-d option), but simultaneously do a disk to disk copy. The value of x in the -AUX=x is the physical drive number (counting from 0) to copy the source drive to. ( -AUX=5 will make copy of the input -i 0, on the 6th physical hard drive).

(NOTE: the -b and -e options are only available for the hashing only processes. meaining there is only a -i option, and no -o option.)

-b + sector_#   Begin the hashing at this sector number. Sector numbers count from 0. The beginning sector number IS processed.

-e + sector_#   End or finish the hashing at this sector number. Sector numbers count from 0, and the ending sector IS NOT counted in the process. Syntax of -b 10 -e 11 only processes 1 sector. -b 10000 -e 15000 processes 5000 sectors from 10,000-15,000.

-E + imagefile.*    Use this filename (wildcards are acceptable) to calculate the total size of the image files making up a set. The size will then be divided by 512 to detemine the exact number of sectors there are in the image file. This will then be used as the ending sector to perform any hashing on. This option is a shortcut to determine how many sectors to actually hash on a restored drive. It is only useful when using the hashing options.

(NOTE: the -b and -eE options are only available for the hashing only processes. meaining there is only a -i option, and no -o option.)

-c    The -c option is used to compress the output file(s). It currently uses a modified zip format. This means that it is not currently compatable with FTK, SMART or ENCASE. Eventually the compression will be SMART and FTK compatable.

-l + logfilename    The name of a log file to place some accounting information, and the final hash value information. The logfile is Never overwritten. It is always appended to. The environment variable set LOGFILE=[...\fullpath...\]filename, can be set. If it is, the program will use filename as the logfile. (-L logfilename overriddes the environment setting).

-L + logfilename    Same as the -l logfile option with the additional functionality that another logfile is generated. It has the same name as the logfilename provided, except it has a .HSH extension. This file contains MD5 hash checkpoints of the drive. Every full cylinder the hash of that cylinder is written to this logfile. The format of the output is pipe delimeted:
Starting Sector|Ending Sector|MD5 HASH Value
000000000000000|0000000016065|ABCDEF1234567890ABCDEF1234567890
The sector counts are from 0, and the ending sector is not included in the hash. So this item would start at sector 0, and end (included) at sector 16064, comprising a full cylinder of 255 * 63 = 16065 sectors.

-V   (Verbose output) Show some debugging information on the screen. It lets the user step through some initial information to verify the source/destination are the correct choices.

-s + XXX[kKmM]      Split the output files into XXX (replaced by a value) file sizes. The program will split the output files to the nearest 512 byte upper limit of the size chosen by the user.

If the modifiers, [kKmM] are used, then XXX is taken to mean kilo, or mega bytes. Where the lower case k, is used to produce exact sizes of 1000 bytes, while the upper case K is used to prodice sizes of 1024 * XXX sizes. The m and M are similare in multiplication to 1,000,000 or (1024 * 1024). Flat File sizes are always multiples of 512 bytes.

-s + CD     Split the output into CD-Rom sizes of 630 Megabytes.

-r + XX     The last pass will be of random character with X decimal value.

-w + XX     Overwrite the drive X many times. Default is one time with random values unless -r overrides the last random value.

Following are the hashing options.

-C    The -C option causes the program to perform the 32 bit CCITT Checksum on the source drive. The value is placed to the screen on completion of the program. (The option -32 can be used in place of the -C option). Do not confuse the uppercase -C hash option, with the lower case -c compress option.

-h    The -h option causes the program to perform the 128 bit MD5 algorithm on the source drive. The value is placed to the screen on completion of the program. (The option -128 can be used in place of the -h option). Note: If you use the hashing options, it is advisable to also use the -l logging option. Else, there will be no saved record of the values calculated.

-160    The -160 option causes the program to perform the 160 bit SHA1 algorithm on the source drive. The value is placed to the screen on completion of the program.

-256    The -256 option causes the program to perform the 260 bit SHA2 algorithm on the source drive. The value is placed to the screen on completion of the program.

-384    The -384 option causes the program to perform the 384 bit SHA2 algorithm on the source drive. The value is placed to the screen on completion of the program.

-512    The -512 option causes the program to perform the 512 bit SHA2 algorithm on the source drive. The value is placed to the screen on completion of the program.


Top

Related Programs

Disk crc, 16-bit program no longer supported.

Diskimag, 16-bit program no longer supported.

Top