Imaging with interACT
interACT has an imaging command with several options/switches to allow users to read a disk or volume and write its contents out as a .dd file. As seen on the previous page, this can also be done from the AIR UI but remains here in interACT for those who prefer to image from the command line.
interACT Imaging Options
--list, -l list available disk/volume devices (default: false)
--input value, -i value read disk device from given input
--output value, -o value write output file(s) to a repository or directory. Use 'repository' to upload to evidence repository set at session start
--max-chunk-size value, -c value maximum chunk size in bytes or use suffix K,M,G. Use 0 to use dynamically calculated chunk size (default: "512M")
--chunk-retry-count value, -r value number of retries for chunk creation attempts when output is repository. If output is a directory, this flag is ignored (default: 1024)
--start-offset value, -s value start offset in bytes or use suffix K,M,G (default: "0")
--max-chunk-count value, -n value maximum number of chunks to create. 0 value dynamically calculates the number of chunks (default: 0)
--block-size value, -b value input block size in bytes or use suffix K,M,G. This must be multiple of logical sector size. Bigger values will result in faster reads but will skip the same amount of data on each read if read error occurs. 1M is a good value for most cases. (default: "1M")
--file-prefix value, -p value prefix for output file name(s)
--no-proxy bypass proxy if enabled while transferring file to a repository (default: false)
--bandwidth-limit value maximum bandwidth limit in bytes or use suffix K,M,G (default: "0")
--help, -h show help
Here is an example of an imaging command in its simplest form:
image -i E: -o OutputFolder2
In this command, the -i
flag is used to specify the input source for the image
command.
Here's a breakdown of the command:
image
: This is the name of a command or script that is used to create an image (a copy) of a disk or volume.-i E:
: This flag specifies the input source for the image creation process. In this case,E:
represents a disk or volume identifier on the system. It indicates that the image creation process should target the contents of the disk or volume associated with the drive letterE:
.-o OutputFolder2
: This flag specifies the output destination for the image file. The image file generated by the command will be stored in theOutputFolder2
directory.
Imaging output and the metadata.yml file
To inspect the results of the command shown above, image -i E: -o OutputFolder2,
we can navigate to the folder using interACT and list the contents as shown below:
In this case, we see that there are two image chunks; image.001.zip and image.002.zip, along with a file named metadata.yml. This file exists in your output folder even when you use the AIR UI to image a disk or volume.
This metadata file can be read in the shell with the 'cat' command. It provides information about your image including the source, imaging start and end times, size, and hash values:
Understanding errors documented in the metadata.yml file
From time to time all imaging tools will have issues with areas of the the disk that can not be read. In such cases, AIR will report errors in the metadata.yml file and they will be recorded as shown below:
metadata:
Hostname: Win10-002
Source: '\\.\E:'
Target: C:\Users\OutputFolder2
StartTime: 2024-03-19T19:58:21.2390559-07:00
BlockSize: 1048576
StartOffset: 0
Duration: 7.734205s
ChunkSizeInBytes: 536870912
BytesRead: 1073737728
ReadDuration: 466.9625ms
SeekDuration: 0s
BytesWritten: 1073737728
NumberOfChunks: 2
WriteDuration: 7.249291s
Compression: true
Encryption: false
Hash:
MD5: fca9b2842db5decdf894327adf4a1ed9
SHA1: ad6a937e97fa73e64d6d0fdabb0a357ca01c9df4
SHA256: eeb5961f8f83ae3d70495831da307d429c6ffe881364c5396da76408a8ad8224
ReadErrorTable:
Errors:
0: error-1
1: error-2
Regions:
- Offset: 0
Size: 1048576
RefError: 0
- Offset: 2097152
Size: 1048576
RefError: 1
This imaging metadata report outlines the process and outcome of an imaging operation carried out in AIR. The report provides details about the operation, including the source, target, data transfer metrics, and errors encountered. Let's break down the key parts and interpret the errors mentioned in the report:
Basic Operation Details
Hostname: Win10-002 indicates the machine name where the operation was performed.
Source: '\.\E:' shows that imaging was done from a device mounted at E: (likely a disk drive).
Target: C:\Users\OutputFolder2 is where the imaged data was written.
StartTime: The operation started on March 19, 2024, at 19:58:21 local time.
Duration: It took approximately 7.73 seconds to complete.
Compression: Enabled, indicating the data was compressed during the imaging process.
Encryption: Not used during this imaging operation.
Data Transfer Metrics
BytesRead and BytesWritten: Both are 1,073,737,728 bytes, indicating that a bit over 1 GB of data was read from the source and written to the target.
NumberOfChunks: 2 chunks of data were processed, aligning with the bytes read/written and chunk size.
ChunkSizeInBytes: Each chunk was 536,870,912 bytes, about 512 MB, which fits the total data size indicating two chunks were necessary.
ReadDuration and WriteDuration: Reading took under half a second, whereas writing took the majority of the operation time (about 7.25 seconds).
Errors and Their Implications
The ReadErrorTable
section is particularly noteworthy as it outlines issues encountered during the read operation:
Errors Listed: Two errors,
error-1
anderror-2
, were encountered during the imaging process.Regions Affected:
The first error occurred at the very beginning of the read operation (Offset: 0), affecting 1,048,576 bytes (1 MB).
The second error occurred after skipping the next 1 MB chunk (notably absent from the errors), affecting the third 1 MB segment of data (Offset: 2,097,152).
Interpreting the Errors
The presence of read errors in specific regions suggests issues with the source device at those locations. This could be due to bad sectors, physical damage, or corruption within the disk's storage.
The operation continued despite these errors, which is common in forensic imaging processes where the goal is to recover as much data as possible, even in the presence of damaged or inaccessible areas.
The absence of errors for the second 1 MB segment (from 1,048,576 to 2,097,152 bytes) indicates that not all regions of the source had issues, highlighting the localized nature of the problems.
Last updated
Was this helpful?