0

I have a flash drive and I want to recover some files from it. Can I take a dd image of the device and perform the recovery operation on dd image instead? Does it have the same results when performing recovery using software on physical flash drive?

Rembo
  • 17
  • 4
  • It depends on how the data was damaged and how deeply you are trying to recover. if the recovery is required due to partial magnetic erasure for instance, you can only see the data that DD could understand. Tools like Spinrite which reassess the magnetic properties of the bit and rewrite it at full signal strength could only work on the original media. likewise blocks too corrupt for DD/DDRescue could not be contained in an image. That said, It is standard practice to take an image and work from it and for most forensics tasks that is a really good idea! – Frank Thomas May 01 '20 at 01:43

2 Answers2

1

Yes!

It's standard forensic procedure to work from a "Physical Copy", which is what a dd bit-for-bit image is. It will have the same results as working from the drive. In fact the hash checks verify that they are the same.

This assumes of course that the dd image was done appropriately. An example of an inappropriate dd image would be one done against a multisession DVD as DVDs are not actually block devices and only the last session would be extracted.

A flash drive is a block device and would image as expected via a dd.

Wear leveling is a bugaboo that's often thrown around but it's not a factor here.

The one extremely unlikely difference with an SSD (Solid State Drive) is a massively delayed TRIM function. If the TRIM runs delayed by many minutes, a dd image may actually extract data before the TRIM runs quicker that performing the analysis directly against the SDD, in which case the image would be better but the hashes would not match causing problems. I've never seen this occur!

user10216038
  • 7,552
  • 2
  • 16
  • 19
1

Working on a dd image is the same as working on the disk, if the disk is healthy.

On a working flash device, it does not matter. A dd image is basically the disk. On a damaged drive it differs a little. If dd cannot read the start of a block, for example, it will write all zeroes for that block, even if the end of the block can be read.

If the device is damaged, it's better to use ddrescue. It will copy full-block where possible, and decrease the block size and retry reading until all possible data is copied back.

And if the device is damaged, it's better to work with a image, because further device activity may damage it even further.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142