How to Clone a Hard Drive

Cloning a hard drive is really important, especially if you do data recovering, for various reasons:

1. keep the original hard drive unaltered: if you're performing a forensic analysis of the hard drive, you mustn't (in any way, shape, or form) alter the hard drive, a very difficult process (which we are going to explain later in the article);
2. keep the original hard drive safe: if something happens to the clone, you can always re-clone the original without damaging the data in it;
3. recover data quickly: transferring the data from a broken hard drive to a safe one will allow you to recover data faster than doing the work on the broken one;
4. trying new programs or methods to data recovery without damaging the original hard drive.

Cloning a hard drive means creating a drive bit-by-bit copy of all the data in it. There are two hard drives involved in this process, the source drive (the original) and the destination drive (the cloned one).
The destination drive must be at least as large (if not larger) than the source drive. Bringing the right size drive will save a lot of time and effort. If possible, the source drive should be preserved in a safe place and used only if further cloning is needed. Ideally, you should always work on the cloned drive, so if something goes wrong you can always clone the original again and start over.

Before you start cloning your hard drive, some precautions must be made.

1. Make sure you use an unaltering method toread the source drive: if you are doing forensic analysis, you need to prevent any data from being written to the original evidence drive, or else you could inadvertently compromise the evidence.
2. Safely delete data from the destination drive, otherwise, the old data may be fused with the new data that you are trying to clone. (Think about emptying a house before selling it. You don't want the future owners to have your photo albums or your nice couch!);
3. Check the destination drive for bugs or errors before starting the cloning: if something is already wrong with the device, it could only worsen the state of the original data, even corrupting the original device.

In forensic analysis, the unalterability of the device is fundamental to safeguard the original evidence during the cloning process, without compromising it in the process. Forensic investigators need to be absolutely certain that the data they obtain as evidence has not been altered in any way during the capture, analysis, and control.

You can achieve unalterability through two different Methods: write blockers and dedicated hardware cards, like our PCI Pro, available here with ChallengerOS and Challenger Rocket.

Write Blocker is a tool that prevents any write access to a hard drive, allowing read-only access to the devices without compromising the integrity of the data.
NIST has issued a set of general guidelines for write blocking requirements:

1. The write-blocker tool shall not allow a protected drive to be changed.
2. The write-blocker tool shall not prevent any operations to a drive that is not protected.
3. The write-blocker tool shall not prevent obtaining any information from or about any drive.

There are two types of Write Blockers, the Hardware Write Blocker and the Software Write Blocker. Both types of write blockers are meant to prevent any writing to the storage devices. The main difference between the two types is that software write blockers are installed on a forensic computer workstation, whereas hardware write blockers have write blocking software installed on a controller chip inside a portable physical device.

ChallengerOS Development Team is proud to present the new Data Recovery PCIe Cards, created in a Real Data Recovery Facility to help Specialists in all hard drive recovery processes. Challenger PCIe connected devices are handled by an internal dedicated driver which cannot be handled by Operating System. PCI Board will be dramatically effective in any forensic or hard drive data recovery case where do still exist a device readiness state.

Challenger PCIe Cards offer to professionals a complete device physical interface and the chance to customize all device behavior, setting up interrupt latency, delays, reset commands delays, grace time on shutting down devices. The Cards also include a complex reading algorithm that will help Specialists in retrieving the most readable logical block areas from devices.

PCIe Cards Connected Devices are handled only by Challenger Rocket Software which comes with a native read-only reading protocol. This will guarantee 100% write protection for forensic samples and the total security of digital artifacts.
Forensic Specialists use Challenger PCIe Boards for imaging any block device creating several drive image types.
Saved images can be opened and analyzed with Challenger Rocket itself or other forensic or data recovery tools.

• Compliant with Serial ATA Specification 3.0.
• Supports communication speeds of 6.0 Gbps, 3.0 Gbps, and 1.5 Gbps.
• Supports programmable transmitter signal levels.
• Supports Gen 1i, Gen 1x, Gen 2i, Gen 2m, Gen 2x, and Gen 3i.
• Supports two SATA ports.
• Supports AHCI 1.0 and IDE programming interface.

Challenger PCIe PRO was built in Recovery Italia Research Center to achieve the best performances in all data recovery tasks.
PRO Card Power system offers a fully automated and programmable reading algorithm that will help Data Recovery professionals to recover any kind of hard drive, such SSDs, SATA, SAS devices.

PRO system offers a complete 2 channel digital managed power system for handling any kind of hard drive behavior and a fully automated and programmable reading algorithm which will help Data Recovery Professional to recover any kind of hard drive, such SSDs, SATA, SAS devices.

Before guiding you to a safe and successful tutorial on how to clone a hard drive, there are some steps you have to do:

1. Use a desktop pc - using a laptop is NEVER a choice because it can and will cause you multiple problems that you can simply avoid by using a desktop pc.
2. Install Challenger Operating System on the dedicated device - during cloning, it's essential to have a solid and fast storage location to store task data files-
3. Use high-quality ATX power supplies
4. Connect the target drive to internal SATA ports (pc shuld be shut down during this process)

ChallengerOS is equipped with several open-source free data recovery tools. GNU ddrescue is a really powerful tool that you can use to perform various operations with block devices.

# ddrescue /dev/sourcedevice /dev/targetdevice

Security Policy of ddrescue will prompt to add

--force

option as first command line option.

Note:

/dev/sourcedevice

/dev/targetdevice

Rocket was born in a ”Data Recovery Factory”, where the imaging process is strategical, and implements all possible imaging strategies and settings to retrieve the most readable from damaged devices.
In this sample, we will lead you to create a clone drive of a damaged hard drive drive. Cloning in the data Recovery Process is essential for reducing source device stressing and avoiding risks of catastrophic hardware failures.

In a device Cloning Task, all source sectors will be transferred on the target device at the same offset. Cloned Devices will be exactly like the source device, with the same partition scheme and the same files.
In most cases, a perfect clone of the source device can be placed in the original hardware environment, like a laptop or a component of a raid system, and will work like the original device.
Clones are the best choice if you need analysis performance.

The Device should be connected to Challenger PCIe Cards when the computer is powered using SATA Power in Manual Mode or Digital power ports if you are using a Challenger PCIe PRO.
After Connecting Power Cable to Hard Drive just press power button located on upper left of Challenger Rocket Toolbar.

The device status register is a specific information retrieved reading device physical ports, using Challenger PCIe Cards.
The status register is one single byte with 8 state bits.
The status register is available in the bottom area in all PCIe Card diagnostic and data recovery tasks.

If the device sets a ready bit, and busy bit is cleared, the user can send a refresh command to the physical ports, to detect the device passport and update the device list.

If the device sets a busy bit and does not come to ready within 30/60 seconds, probably some firmware or physical issue exists and the device cannot be analyzed or recovered.

For better results, from Rocket Main Menu stop System Monitor before connecting External Damaged hard drives.
Disabling System Monitor will be useful to limit any system attempt to locate partitions or mount connected drive and is MANDATORY for all forensic tasks.

Source Device should be connected after system boot.

1. Power UP your computer with a connected target device
2. Launch Challenger Rocket
3. From Rocket Menu ”Disable System Monitor”
4. Connect USB Source Device
5. Wait about 30 seconds
6. Check Source device presence reading ”Sys Log”

ChallengerOs can manage SAS, SCSI, and Fiber Channel hard drives, hooked up to their specific cards, installed on the computer.
Hard drives connected to SCSI and SAS cards can be detected in real-time by connecting them to the operating system whether it's on or off.

If you want to connect them while it's on, It is important to pay attention to the connection of the power supply connector to avoid short circuits.
It is possible to power a SAS or SCSI drive using the power ports of the PCIe PRO CARD by connecting the bus to the SAS or SCSI CARD.

SAS or SCSI devices are automatically detected by CHALLENGER ROCKET and are visible in the list of available devices.

SATA hard drives can also be connected directly to the internal ports of the computer. SATA devices are automatically detected by CHALLENGER ROCKET and are visible in the list of available devices.

In some cases, it is possible to connect the hot sata drive and press the "rescan bus" button for detection.
If the SAS drives connected to the motherboard are detected by ChallengerOS it is necessary to restart the computer.

There two ways to start a new task:

1. Using Wizard
• Select Wizard
• Click "New Task" in Wizard
• Select "Drive Cloning"


2. Using Main Screen
• From the Main Screen, Select the Device
• Select the option "Data Recovery tools"
• Click on the option "drive Cloning"

Challenger Rocket Main Page Cloning Task

Insert Task Name and select task destination Path. Task File should be placed into a safe storage partition like any internal hard drive drive or if yours is a Full ChallengerOS installation on the root folder.

Note: Every Task owns a zMap file which is essential to track read sectors. If you won't use a persistent storage location to save your task data, all zMap changes will be lost after a reboot or some power loss.

Select Source Device from the devices list and press the "next" button.

Hint: If the source device is not listed, consider rescanning devices or creating a task again.

Select Target Device from the devices list and press the "next" button. Target Device data will be erased with source device sectors. Take your time to check selected devices and their serial numbers.

Hint: If the source device is not listed, consider rescanning devices or creating a task again.

Select Map Type From the list

1. Linear Map is an uncompressed linear binary map in which a byte is allocated for each lba sector.
   Linear maps are compatible with MRT, PC3000, and UFS Explorer for task analysis and export.


2. Compressed Maps are owned by Rocket and allow for low storage and high performance.

Finally, this is the last screen you'll see. Just press play and Rocket will clone your drive in record time!

During a disk cloning process, it is very common to encounter bad areas (BAD BLOCKS).

The correct way to deal with damaged LBAs is to skip the corrupted area and focus on the readable areas, as insisting on a damaged area could lead to irreparable damage to the drive.

At the end of the massive reading of the entire drive, it will be advisable to "split" the blocks and retry reading the bad blocks, making requests for single sectors to reduce the overall loss of sectors.

Challenger Rocket allows customization of reading, jumping, and retry parameters to optimize cloning quality and reduce the percentage of bad blocks.

Rocket offers to specialists several protocols to achieve the best data recovery results. If you are working on a device with no critical issues, Posix standard reading protocol will offer maximum performance.

If the device has several damaged blocks, using CDB is mandatory. CDB protocol will block vfs queues and help to avoid system hanging.

Posix

Posix Reading is the standard Linux Reading Protocol. Queue and cache will be enabled, and Source Device will be Read at the best possible performance. Posix Protocol is automatically set for disk images, files, raid devices, mapped streams, or iSCSI targets.

Note: Posix Reading Mode should be selected in all cases where Disk Device works with no errors.

CDB Packet SATA

CDB Packet SATA Protocol is a passthrough command method. The CDB Packet is a special packet sent to the device avoiding the use of the cache and queues. In case of any damaged block or error, the retry routines and recovery methods will be handled by Rocket Reading Algorithm.
Note: CDB Packet Reading Mode should be selected in all cases where Disk Device has been detected by an operating system and do exist errors and delays.

CDB Packet SCSI

CDB Packet SCSI Protocol is a passthrough command method. The CDB Packet SCSI is a special packet sent to the device using SCSI Protocol. CDB Packet SCSI **SHOULD BE SELECTED** for all SCSI SAS USB Disk Devices.
SCSI Sector size
SCSI Sector size parameter should be selected when the device has a sector size different than standard 512 bytes per sector.
Note: Devices with sector sizes different than 512 bytes per sector are usually SCSI/SAS devices handled by IBM Operating systems like AS400 or iSeries Systems.