PURPOSE OPERATION COMMAND LINES OPTIONS RELATED PROGRAMS
The program is designed to be used by those needing to make a forensic copy or copies of suspect disks while running the NT or XP operating system.
Note: Whenever the word copy is used, it is intended to be used interchangeable with the word image. (unless otherwise stated).
It can be used to do any of the following:
The program runs in a CMD prompt (DOS box) and obtains from the command line various user options relating to the operation of the program. Depending upon the options selected the program will do any of the prescribed operations.
In its default mode, the program will create or restore a hard drive image.
The program normally reads the information that NT has available (see Special NOTE immediately below) and makes a determination of the size of the source drive. It then calculates the size of the source drive and creates an output image file.
Under the wipe option, the user provides information as to how many passes, and what the last write character will be. The default is 1 pass of random characters.
Special NOTE: The disk size information which NT provides to the program is often smaller than the actual drive size. This is because NT only wants to recognize a drive that is a fully "populated" drive on a theoretical fully translated cylinder boundary made up of 255 heads. For this reason the size and thus the total sectors reported by NT (using any of the options) are only what it (NT OS) wants the user to see. However, the program will capture all the sectors even though the NT operating system is reporting a lesser number of sectors. (the amount of sectors it can be reporting short is 1 less than a full cylinder which calculates to (254 heads * 63 sectors) + 62 sectors == 16064 sectors. (this is 1 sector less than a full cylinder).
Example calculation: lets say the drive really has 20,015,856 sectors. If we assume a full cylinder to be 63 sectors by 255 heads then a track will contain 16,065 sectors. Divide 20,015,856 by 16,065 and you get 1245 full cylinders with 14,931 sectors left over. NTIMAGE will report that NT reports total sectors of (1245 cylinders * 16065 sectors = ) 20,000,925 total sectors. Which leaves: (20,015,856 - 20,000,925 = 14931 "extra" sectors). The 14931 sectors are not enough (16,065) to make another full cylinder so the OS disregards it when reporting the geometry to the program. However, NTIMAGE when run will find all the sectors and report the proper total in the accounting or logging information.
When placing the image to an output file, the name of the output file should only contain a filename (with path if necessary) without an extension. The program creates its own unique numerical extension based on the file name. Any filename extension (if provided) is ignored. The file extensions begin at 000 and continue through the entire alphabet. (000>009 then 00A>00Z etc.).
If any of the hashes are requested, (any one, all or none can be requested), as the program reads the data from the source drive, the hash values are calculated. At the end of the run, the value is placed on the screen or in the log file (-L option). (Note: in random tests, adding the MD5 128 bit hash may double the imaging time).
If the split (-s option) is used, the output file(s) are split into maximum sizes requested by the user. The split option takes a numeric modifier to tell the program how big to make the split sizes. The file sizes calculated during the split operation are rounded to 512 byte sector boundaries. See the split option for more information on these values.
There is a special split modifier, (-s CD), which tells the program to split the output files into sizes compatable with CD rom. The output files are nominally split at about 630 Meg.
When doing a physical disk to disk copy, or restoring an image to a physical disk, the user must make certain the destination disk is large enough. Currently the program makes no checks on destination drive size.
READ ERRORS
When performing the imaging operation any read errors are reported in the logfile (if one is chosen). The section of the output file (the entire sector, 512 bytes of data) that contains the bad sector read is replaced by the word BAD followed by two numbers of the form
BAD 000000001069-000000547328...
The entire width of this sequence is 32 bytes. Where the first set of numbers represent the logical sector (from 0) that resulted in the read errer, and the 2nd set of numbers represents the byte offset (from 0) into the image that this sector relates to. The 2nd set of numbers should always be larger than the first, and should be divisible by 512 bytes.
WRITE ERRORS
Are not currently reported. As it is the users responsibility to determine the destination drive is functioning properly.
C:>ntimage -G
(show geometry of ALL the drives NT can see.)
C:>ntimage -G 0
(show geometry of physical drive 0. Drive number can be between 0 and 9.)
C:>ntimage -i a: -o c:output_file
(image the A: drive to a file called output_file. The extension will be .000
C:>ntimage -i 1 -o d:output_file
(image physical drive 1 (second drive, assume always, first drive is the users
forensic drive C: to file "output_file".)
C:>ntimage -i 1 -o d:output_file -x
(image physical drive 1 (second drive, assume always, first drive is the users
forensic drive C: to file "output_file".) -x means DON't Check for extra sectors.
Use this especially when imaging USB drives, as they do not properly respond to
and end of media request.
C:>ntimage -i 1 -o 2
(disk copy from physical 1 to physical 2)
C:>ntimage -i 1 -o d:output_file -c
(compress the output image file)
C:>ntimage -i 1 -o d:output_file -C
(calculate the 32 bit CCITT Checksum of the source drive)
C:>ntimage -i 1 -o d:output_file -h
(calculate the 128 bit MD5 of the source drive)
C:>ntimage -i 1 -160
(calculate the 160 bit SHA1 only, NO output file)
C:>ntimage -i 1 -o d:output_file -V
(show some debugging information.)
C:>ntimage -i image_file_name.000 -o 2
(restore the image_file_name.000 file to the 3rd hard drive.)
C:>ntimage -o 2
(wipe the 3rd physical drive with a single pass of randoms.)
C:>ntimage -o 2 -r 0
(wipe the 3rd physical drive with a single pass of hex 0's.)
C:>ntimage -o 2 -r 0 -w 3
(wipe the 3rd physical drive with 3 passes. The last pass being hex 0's.)
C:>ntimage -i 1 -o 2 -h
(clone drive 1 to drive 2 and perform a 128 bit MD5 hash.)
C:>ntimage -i 1 -o 2 -h -L logfile
(clone drive 1 to drive 2, perform a 128 bit MD5 hash, and create a logfile called logfile.)
C:>ntimage -i 1 -o 2 -h -L logfile -F
(clone drive 1 to drive 2, perform a 128 bit MD5 hash, and create a logfile called logfile, with backfill of 0's.)
C:>ntimage -i 1 -h -L logfile -b 63 -e 64
(drive 1 (2nd drive) perform hash on sector 63 (from 0) for 1 sector.)
C:>ntimage -i 1 -h -L logfile -b 200 -e 2000
(hash drive 1 from setor 200 to 2000. Ending sector is not included in hash.)
C:>ntimage -i 1 -h -L logfile -E imagefile.*
(hash RESTORED drive 1. Use imagefile.* files to calculate the total number of sectors in the image file. Then perform hash on that many sectors or the restored drive. This operation only hashes as many sectors as were in the image files.
-? Get a help screen.
-i + drive The drive is the input drive. Use A: if the input is the floppy drive. If the input is a physical disk then the physical drive number starting at 0.
-x Do NOT check for eXtra sectors on a drive. Use this especially when imaging USB drives, and they do not always respond properly when the end of media is reached, and the program seems to run away reading phantom extra sectors. This option can also be used any other time.-i + image_file_name.000 The drive is to be restored from this image_file_name. The .000 extension must be there, and the program will find all subsequent sequence.
-o + dr:output_filename Output filename is the complete drive and filename (without extension) you want the output to be placed into. The output extensions are sequenced from 000.
-o + drive_number If output is to be a physical drive (either disk to disk, or restored from image file) the output drive number should be the physical drive number starting at 0.
-AUX=drive_number This is a special output option allowed only when using the -d outputfilename also. The -AUX=x option allows you to not only create an image file (-d option), but simultaneously do a disk to disk copy. The value of x in the -AUX=x is the physical drive number (counting from 0) to copy the source drive to. ( -AUX=5 will make copy of the input -i 0, on the 6th physical hard drive).
(NOTE: the -b and -e options are only available for the hashing only processes. meaining there is only a -i option, and no -o option.)
-b + sector_# Begin the hashing at this sector number. Sector numbers count from 0. The beginning sector number IS processed.
-e + sector_# End or finish the hashing at this sector number. Sector numbers count from 0, and the ending sector IS NOT counted in the process. Syntax of -b 10 -e 11 only processes 1 sector. -b 10 -e 20 processes 10 sectors from 10-19.
-E + imagefile.* Use this filename (wildcards are acceptable) to calculate the total size of the image files making up a set. The size will then be divided by 512 to detemine the exact number of sectors there are in the image file. This will then be used as the ending sector to perform any hashing on. This option is a shortcut to determine how many sectors to actually hash on a restored drive. It is only useful when using the hashing options.
(NOTE: the -b and -eE options are only available for the hashing only processes. meaining there is only a -i option, and no -o option.)
-c The -c option is used to compress the output file(s). It currently uses a modified zip format. This means that it is not currently compatable with FTK, SMART or ENCASE. Eventually the compression will be SMART and FTK compatable.
-L + logfilename The name of a log file to place some accounting information, and the hash information. The logfile is Never overwritten. It is always appended to. The environment variable set LOGFILE=[...\fullpath...\]filename, can be set. If it is, the program will use filename as the logfile. (-L logfilename overriddes the environment setting).
-V (Verbose output) Show some debugging information on the screen. It lets the user step through some initial information to verify the source/destination are the correct choices.
-s + XXX[kKmM] Split the output files into XXX (replaced by a value) file sizes. The program will split the output files to the nearest 512 byte upper limit of the size chosen by the user.
If the modifiers, [kKmM] are used, then XXX is taken to mean kilo, or mega bytes. Where the lower case k, is used to produce exact sizes of 1000 bytes, while the upper case K is used to prodice sizes of 1024 * XXX sizes. The m and M are similare in multiplication to 1,000,000 or (1024 * 1024). Flat File sizes are always multiples of 512 bytes.
-s + CD Split the output into CD-Rom sizes of 630 Megabytes.
-r + XX The last pass will be of random character with X decimal value.
-w + XX Overwrite the drive X many times. Default is one time with random values unless -r overrides the last random value.
Following are the hashing options.
-C The -C option causes the program to perform the 32 bit CCITT Checksum on the source drive. The value is placed to the screen on completion of the program. (The option -32 can be used in place of the -C option). Do not confuse the uppercase -C hash option, with the lower case -c compress option.
-h The -h option causes the program to perform the 128 bit MD5 algorithm on the source drive. The value is placed to the screen on completion of the program. (The option -128 can be used in place of the -h option).
-160 The -160 option causes the program to perform the 160 bit SHA1 algorithm on the source drive. The value is placed to the screen on completion of the program.
-256 The -256 option causes the program to perform the 260 bit SHA2 algorithm on the source drive. The value is placed to the screen on completion of the program.
-384 The -384 option causes the program to perform the 384 bit SHA2 algorithm on the source drive. The value is placed to the screen on completion of the program.
-512 The -512 option causes the program to perform the 512 bit SHA2 algorithm on the source drive. The value is placed to the screen on completion of the program.