Document image creation process

[ssaumitra]

Whether specific format for disk image is expected or an image file from output of dd is sufficient, is not clear from README. It will be great if image creation process and example tools are specified in README.

[Lazza]

The current wording is:

The main argument is the path to a bitstream image of a disk or partition

Currently it mentions only raw bitstream images. No other kind of format is ever mentioned (EWF, AFF, ...). Could you clarify what part is not clear? What kind of wording would be preferrable?

image creation process and example tools

RecuperaBit is an analysis tool, not an imaging tool. It's the examiner's job to image a drive, the specific tool used does not really matter. 😉

[Hornwitser]

dd should never be used to make an image. If the drive is damaged or has any sectors with read errors at all, then dd will fail to make an image or skip the bad sections from the output causing the positions in the stream to desync. I learned that the hard way.

As for wording I've heard the term raw disk image before, but I don't think that's any better.

[Lazza]

If the drive is damaged or has any sectors with read errors at all

If this is the case, any competent examiner knows that the proper tool is GNU ddrescue, right. But still this is not related to RecuperaBit as the program does not acquire disk images, it only reads them. 😅

"Raw disk image" is a synonym of "bitstream image" but actually IMHO it's a good one. I might consider changing the definition in the README. What do you think about this @ssaumitra ? Does "raw disk image" sound better?

[Lazza]

No feedback was provided after 6 months. I am closing this for now, but it can be reopened if feedback is provided.

[ssaumitra]

@Lazza Feel free to use any words you like. I just would like to understand how do I create this "bitstream image" or "raw disk image". Can you kindly let me know exactly which tools need to be used in order to do that?

[Lazza]

As written above, use dd, ddrescue or whatever you prefer. You might even prefer to image in EWF format and then use ewfmount.

This is a program targeted to digital forensics practitioners, it is expected that they know how to image a disk.

PS: as I see from your initial post, it seems you have created a bitstream copy with dd. Yes, that is exactly the expected input. :smile:

[ssaumitra]

@Lazza I understand now. Thanks for letting me know. I would suggest that this should be included in README file. This is new for me who does not work in digital forensics. Also, you yourself and @Hornwitser (see comment above) have different opinions on dd and probably you both work in Digital Forensics.

dd should never be used to make an image. If the drive is damaged or has any sectors with read errors at all, then dd will fail to make an image or skip the bad sections from the output causing the positions in the stream to desync. I learned that the hard way.

As for wording I've heard the term raw disk image before, but I don't think that's any better.

[Lazza]

Actually, the opinions are not all that different. @Hornwitser provided some insights about the pitfalls of using the "normal" dd on physically damaged drives.

I am a bit perplexed about the need to explain imaging in the README of RecuperaBit. The purpose of the README is to explain how to use a tool, not how to create input. For instance, you do not see "how to take a picture" in the manual of Adobe Photoshop... I guess. 😅