Does anyone have a plugin for a drive duplicator that will actually do a sector by sector copy of the drive? I need to image an Intel Mac that has Mac OS 10.4.10 and Windows XP partitions.

In the past we could load Mac OS X then use Windows XP to format and prepare the second partion for Windows XP SP2 and load it on the new partition. We have tried to use Ghost 11 to put the new image on another Mac but the system will not boot into Windows (returns disk read error or just boots to a black screen with flashing cursor). Ghost does a drive copy but only if it is Windows. Trying to put the new image on another prepared Mac does not work.

I suspect that the issue may be that Ghost is a Windows drive copier and putting a partion on an HPFS drive does something to the partiton header as Ghost knows the different partitions and finds nothing wrong with them but the system will not boot using the Windows partition.

If anyone has any other usefull suggestions (getting rid of the Macs or booting only to Windows on the Mac is not an option) or if anyone has a sector by sector drive copier program (or knows of such a program) I would be interested in that information.



Thank you.

CWU

A rather complete list of "dd like" apps is here:
http://www.911cd.net/forums//index.php?sho...c=16534&hl=
and on the linked thread at MSFN there are some more:
http://www.msfn.org/board/index.php?showtopic=100299

jaclaz

Did you try Ghost sector by sector related switches, ie:
-ia
-ial
-ib
-id

HTH

I think you may try this : http://www.runtime.org/diskexpl.htm

I don't see anything in that link that indicates it is a sector by sector copying utility. In looking at their DriveImage XML I do not see anything in it that indicates that it is a sector copying utility. They both indicate that they are Windows based recovery utilities and those will not copy HPFS Macintosh drives that happen to have NTFS partitions on them.

In other words, I need to copy a drive that is not (exclusively) Windows based. Using Ghost 11 to put the Windows partition on the Macintosh hard drive does not work and Windows does not run after ghosting the partition onto the drive.

I do see that there is a Win32 based DD that might do it if I can figure out how to make the BartPE plugin for it. I also do not know how fast it might be when doing a sector by sector copy. In the past most if not all utilities that did a sector by sector copy were painfully slow so a current 100+gb hard drive would probably take days to copy!

Thank you.

CWU

Your approach of sector oriented copying is a mistake. On LBA drives , the CHS addressing is "simulated" as far as possible , but on very large drives ( 500 GB for example ) , it doesn't work anymore. That tool is able to make images of physical disks (any format , all partitions) as well as logical partitions ( linux , others ) on it. The latter is possible as long as the partition information is conform what is commonly used. The disk image it creates can be written back to another disk ( same or bigger size ) provided the disk is LBA aware ...

I use this method to have a spare disk in case my main disk would fail . Up and running again is just a matter of exchanging the disks now. And last but not least , they provide PE plugins ...

Unfortunately , it's YOU that have it wrong, data is organixed on any hard disk in sectors (or "blocks") independently on which method it is used to address them.
CHS or LBA are simply addressing methods.
The "dd" like copying method (operating system and filesystem independent) is the ONLY method that guarantees an exact duplicate of a drive, and it is widely used in forensics.
Besides, 500 Gb hard disks are not that common, and, until the new 2kbytes per sector standard becomes common, all hard disks do use the same 512 bytes one.


Well, you cannot have everything.

Unless a program has particularly slow algorithms, the speed of a copy is determined by the transfer speed of the channel and on the speed of the driver of the specific OS that is running.

Most Commercial softwares that are faster do interpret filesystem level structures, for example skipping unpartitioned space, or empty sectors, but the resulting copy is NOT "forensic sound".
Sometimes they are faster than other programs because they have "better" drivers/algorithms, use in a faster way the HD internal cache.

DriveimageXML, which is by the way a very nice program, is NOT an OS/filesystem independent disk/partition cloner, as it relies heavily on OS routines, it is more like a BACKUP app, very handy given that the OS can access the logical structure of the disk, which is not the case for Mac filesystems.


jaclaz

Of course copy sector by sector is slow.
Reading 512 byte and writing 512 byte is slow. A fast sector by sector copy is not possible.

Do you like to duplicate a hard disk?

Read and write multiple sectors each time, set block size: bs=SIZE.

Exactly ! your "blocks" on LBA. And wathever you use on windows ( dd or whatever junk ) , it cannot access sectors . Windows simply refuses to access the disk directly ( unless the program is a device driver ). Every access under windows is a protected mode "offset/size" read or write. And IF there were methods to circumvent that , they will certainly fail on Vista .

@RAMDisk2004
Actually it is perfectly possible to access directly hard disk sectors under NT/PE based systems, as the majority of the numerous listed utilities in the linked thread actually do.

Rather obviusly, due to the HAL typical of NT based systems, the method to access these sectors is different from that of DOS.

VISTA may (or may not) behave differently, but noone here (exception made for you) was talking about VISTA, CWU asked on programs that could be used under BartPE.

jaclaz

You cannot bypass the device driver that accesses the hard disk. If a program wants to access the disk in a CHS way , the OS will convert this to a device driver call with "offset/size" (*) , which MAY on its turn , and depending on the hardware of disk , convert this again to a CHS value. Reading a disk from sector "zero" to sector "max" is just ridiculous. You will problably have more cache hits than effective hard disk reads.

BartPE is Windows XP or Windows Server 2003 , isn't it ? And Bart may support Vista in the future ?

(*) in regular read accesses : offset is a multiple of the sector size , size is a multiple of the sector zize and the receive buffer must be sector size aligned.

Actually no, it's more closely related to WinPE. It certainly draws from those two systems but it is not them.

Yep :


However, ridiculous as it might seem to you, the actual scope of a "dd like" copy, is exactly that of , and as said, it is NOT "fast", as NO sectors are skipped, no data is altered or interpreted in any way.

For this particular scope, NT based systems included PE are not the "best suited" anyway, in forensics it is rather common to use Unix/Linux as OS, but CWU asked for programs under BartPE.

The "real" forensics professionals actually use hardware devices capable of duplicating hard disks, things like these:
http://www.ics-iq.com/
http://www.icsforensic.com/
http://www.icsforensic.com/index.cfm/actio...b8-d1218d61e928
http://www.logicube.com/
http://www.logicube.com/products/hd_duplication/sonix.asp

Of course prices of such devices are not affordable by "amateurs" or are however not justifiable in a business environment for a few uses per year only.

jaclaz

it's small, it's free, it doesn't need any plugin since it's a standalone exe and it claims to do do what you want:
"copys a disk as a raw image from one drive directly to another" ...
" transfer the data directly to another drive without doing a file by file copy" ...
"allows drives with an unknown file system to be copied (including from console game machines, data recorders, mac etc)"

never tested it, so give us your feedback about it if you try it. http://www.roadkil.net/RawCopy.html

That page also says:

This program is designed to run under NT/XP/2000 or later operating systems. It will run under windows 95/98/Me operating systems but only windows logical drives can be copied.

Which implies it's access it limited to Windows access.

@ReD
Roadkil's also has another program, Disk Image, that is listed in the already given threads, that can perform byte-by-byte copy of entire hard disks, i.e. \PHYSICALDRIVEx type of objects.
That is the program I normally use to make and restore images of USB sticks.

Rawcopy has additional "retries" routines, so definitely is slower than Disk Image.


@Ed_P
As I read it, and from experience this:

actually means:


If I may, it's interesting how someone that never used an app posts recommending it, and another one that didn't use it either posted saying the recommendation was wrong...


jaclaz

I never said it was wrong rather that there was an implied limitation (based on my limited understanding of what was written on the webpage) that was stated as unacceptable previously.

Gee ya try to be helpful ....

Who recommended something ? i didn't! someone asked for a tools and i just answered 'this CLAIMS TO do what you want' and i clearly said I NEVER TESTED IT. i'v been honest in my answer.
So it's not a recommendation, i'm too humble to recommend stuff since i 'm the one who knows nothing but who's trying to help and learn. At least i'm not misreading what others wrote

I don't know, that kinda sounds like a recommendation to me. And there is nothing wrong recommending something you haven't tried but think will help.

@ReD
Hey, come on, it was just an attempt to provoke a quick smile , you were perfect in stating the capabilities of the app and adding that it was untested.

@Ed_P
at you

jaclaz

no problemo, my last sentence was aimed in a "kidding you" style.