Jump to content











Photo
* * * * * 4 votes

CloneDisk


  • Please log in to reply
564 replies to this topic

#426 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1937 posts
  • Location:Nantes - France
  •  
    France

Posted 14 April 2014 - 10:59 AM

I like this idea very much !

 

It should be rather easy to implement.

 

Expect it soon somewhere next week (I am on trip in Rome this long easter week end :) )

 

 

Probably a good idea (not only restricted to this specific topic) for erwan.l (time and will permitting of course) would be to either modify the offline registry tool:

http://reboot.pro/to...fline-registry/

to be able to parse a .REG file or create a converter from .REG to offline Registry tool commands.  :dubbio:



#427 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13694 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 14 April 2014 - 11:43 AM

I like this idea very much !

Good :).

And if I may add a wish, there should be an "easy" way to modify existing .REG files.

Typically .REG files that you can find pre-made are of two kinds:

  1. intended for "online use" (and thus referencing the "direct" Registry path and/or the CurrentControlSet)
  2. intended for "offline use" (and thus referencing the "mounted hive" in Regedit and/or one of ControlSet00x's)

The "virtual" CurrentControlSet (by checking the Select key) has already been added to the offline Registry tool :thumbsup: and, additionally the tool can already use "relative" paths :thumbup:, so it should be easy to simply strip on-the-fly the leading path, i.e. :

  • HKEY_LOCAL_MACHINE\SYSTEM\
  • HKEY_LOCAL_MACHINE\whatever\SYSTEM\
  • \whatever\SYSTEM\ <- if used against a "system" hive
  • \SYSTEM\ <- if used against a "system" hive

should all behave the same, BUT a .REG file not necessarily is operating on a single "backing file", so it would be IMHO more useful to have a converter to make *any* .REG compatible for "online use" and then use it with the "offline tool". :unsure:

 

:duff:

Wonko



#428 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1937 posts
  • Location:Nantes - France
  •  
    France

Posted 14 April 2014 - 06:52 PM

Hi Gents,

 

I am looking for expertise around partitions and specially around extended partitions.

 

Here below 2 scenarios (and not scenarii like Wonko once taught me!) :

 

-one 255MB drive : 4 * 50 MB partitions created with CloneDisk (part1.png)

-one 255MB drive : 4 * 50 MB partitions created with Windows (part2.png)

 

In both cases, all partitions are seen ok by windows.

Still although I can live with the fact they are created in a different way, it gets my life difficult when I want to delete them with CloneDisk.

Basically, windows will create, for each new partition with index >3, an extended partition with number=0.

 

Deleting then, with CloneDisk, any partition with index >3 will generate unexpected result.

 

Any light/explanations welcome :)

 

Note : if it may help, from a dev point of view, I am using windows IOCTL's IOCTL_DISK_GET_DRIVE_LAYOUT_EX/IOCTL_DISK_SET_DRIVE_LAYOUT_EX.

 

Thanks,

Erwan

Attached Thumbnails

  • part1.png
  • part2.png


#429 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13694 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 14 April 2014 - 07:33 PM

I am not sure to understand (actually I am sure that I don't understand).

In a MBR there can be as much as 4 partition entries.

Of these, they can be either 4 primaries or 3 primaries+1 extended (and then you can make inside the extended as many volumes you want, as a "chain" of partitions/volumes is used).

 

It is very possible (and it may additionally depend on the actual specific NT OS version) that disk management will behave "queerly".

 

In XP I can create 4 primary partitions fine. 

 

:duff:

Wonko



#430 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1937 posts
  • Location:Nantes - France
  •  
    France

Posted 14 April 2014 - 07:42 PM

My issue is the following :

 

-In CloneDisk, it seems that I can create as many (or least more than 4) primary partitions.

They are numbered from 1 to x.

No pb there : create and delete will be fine.

Thus : is this ok (by the book) to create N primary partitions without ever using an extended partition?

 

-In windows (7 here), it will create 3 primary partitions, then 1 extented partition and in there X logical partitions.

CloneDisk will then see for each logical partition one extended partition rigth before (numbered 0).

So already the view between Windows and CloneDisk is different.

 

The numbered 0's I cannot delete without unexpected result (altough I used the index, not the part number 0).

The logical partitions, I cannot delete without unexpected result (whether I try with the index or the part number).

 

Thus I am stuck as so far with CloneDisk I cannot  (1) create this setup nor (2) delete a partition with index above 3.

 

Damn I think I "broke" my brain for a monday evening  :)

 

Cheers,

Erwan



#431 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13694 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 15 April 2014 - 10:35 AM

Cannot say what/how clonedisk does, all I can do is provide some info.

 

The MBR has 4 partition entries (and thus you cannot have more than 4 partition entries in it, these can be either max 4 primary or max 3 primary and max 1 Extended).

By convention you cannot have more than one Extended partition.

The Partition ID for the Extended partition must be either 05 or 0F.

Whilst an entry for a primary partition points to a PBR (Partition Boot Record) or Vbr (Volume Boot Record) i..e the bootsector or first sector of the volume, the entry for the Extended Partition points to an EMBR (Extended partition Master Boot Record) or EPBR (Extended Partition Boot Record).

The EMBR has a structure similar to the MBR.

To recap, the MBR is made of 5 parts:

1.  0 to 439 <- CODE

2.  440 to 443 <- Disk Signature 4 bytes

3.  444 to 445 <- Unused

4.1 446 to 461 <- First partition entry 16 bytes

4.2 462 to 477 <- Second partition entry 16 bytes

4.3 478 to 493 <- Third partition entry 16 bytes

4.4. 494 to 509 <- Fourth partition entry

5.  510 to 511 <- Magic Bytes 55AA

The EMBR uses the SAME structure, but ONLY a few parts of it are used:

 

1.  0 to 439 <- UNUSED

2.  440 to 443 <- UNUSED

3.  444 to 445 <- Unused

4.1 446 to 461 <- First partition entry 16 bytes <- this points to the (only) volume addressed in the EMBR

4.2 462 to 477 <- Second partition entry 16 bytes <- this points to "next" EMBR (if any) and has partition ID of 05

4.3 478 to 493 <- UNUSED

4.4. 494 to 509 <- UNUSED

5.  510 to 511 <- Magic Bytes 55AA

 

In practice the Extended partition is made by a "chain" of EMBR's each one with two entries, the first being the volume inside and the second being the the next EMBR (if more than one volume is present.

So, if you have more than one volume in an Extended partition you will jave an EMBR1, and EMBR2, etc.

 

Check this (good ol' partition primer):

http://www.ranish.com/part/

since the site is not working properly I am attaching it in a form that is viewable offline.

 

Check also this:

http://technet.micro...y/cc976786.aspx

strangely enough the good MS guys provided a clear enough set of documentation and images.

 

 

:duff:

Wonko

Attached Files



#432 David Lynch

David Lynch

    Member

  • Members
  • 34 posts
  •  
    United States

Posted 15 April 2014 - 08:07 PM

I've been having errors using Offline Registry > Redetect Hardware. Tested under WinPE XP. Does not seem to work and error is something related to system.bak. Registry can be accessed offline by other tools.

 

Someone else can reproduce this error?

 

jg2t4.gif 



#433 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1937 posts
  • Location:Nantes - France
  •  
    France

Posted 15 April 2014 - 10:29 PM

Cannot say what/how clonedisk does, all I can do is provide some info.
 
The MBR has 4 partition entries (and thus you cannot have more than 4 partition entries in it, these can be either max 4 primary or max 3 primary and max 1 Extended).
By convention you cannot have more than one Extended partition.
The Partition ID for the Extended partition must be either 05 or 0F.
Whilst an entry for a primary partition points to a PBR (Partition Boot Record) or Vbr (Volume Boot Record) i..e the bootsector or first sector of the volume, the entry for the Extended Partition points to an EMBR (Extended partition Master Boot Record) or EPBR (Extended Partition Boot Record).
The EMBR has a structure similar to the MBR.
To recap, the MBR is made of 5 parts:
1.  0 to 439 <- CODE
2.  440 to 443 <- Disk Signature 4 bytes
3.  444 to 445 <- Unused
4.1 446 to 461 <- First partition entry 16 bytes
4.2 462 to 477 <- Second partition entry 16 bytes
4.3 478 to 493 <- Third partition entry 16 bytes
4.4. 494 to 509 <- Fourth partition entry
5.  510 to 511 <- Magic Bytes 55AA
The EMBR uses the SAME structure, but ONLY a few parts of it are used:
 
1.  0 to 439 <- UNUSED
2.  440 to 443 <- UNUSED
3.  444 to 445 <- Unused
4.1 446 to 461 <- First partition entry 16 bytes <- this points to the (only) volume addressed in the EMBR
4.2 462 to 477 <- Second partition entry 16 bytes <- this points to "next" EMBR (if any) and has partition ID of 05
4.3 478 to 493 <- UNUSED
4.4. 494 to 509 <- UNUSED
5.  510 to 511 <- Magic Bytes 55AA
 
In practice the Extended partition is made by a "chain" of EMBR's each one with two entries, the first being the volume inside and the second being the the next EMBR (if more than one volume is present.
So, if you have more than one volume in an Extended partition you will jave an EMBR1, and EMBR2, etc.
 
Check this (good ol' partition primer):
http://www.ranish.com/part/
since the site is not working properly I am attaching it in a form that is viewable offline.
 
Check also this:
http://technet.micro...y/cc976786.aspx
strangely enough the good MS guys provided a clear enough set of documentation and images.
 
 
:duff:
Wonko


Thanks, now it makes sense.
I wrongly assumed there was one extended part and several logical drives attached to it.
The graphical representation of the different partition managers mis led me.

I believe i can now delete and create extended partitions fine in clonedisk.

#434 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1937 posts
  • Location:Nantes - France
  •  
    France

Posted 15 April 2014 - 10:33 PM

I've been having errors using Offline Registry > Redetect Hardware. Tested under WinPE XP. Does not seem to work and error is something related to system.bak. Registry can be accessed offline by other tools.
 
Someone else can reproduce this error?
 
jg2t4.gif


The offline registry can only write to a new file (with extension .bak), not the opened one 
Hence clonedisk renaming in the background  the initial file to .old and the .bak to the initial file.
Seems that in your case this not working.
Are you running clonedisk from a read only media?

Would you have a screenshot or error log?

Thanks.


  • David Lynch likes this

#435 David Lynch

David Lynch

    Member

  • Members
  • 34 posts
  •  
    United States

Posted 17 April 2014 - 06:16 PM

Sorry by the late reply, erwan. I'm not having time to do the needed testing lately...

 

Running Clonedisk from a read/write media, a flash drive. Had no issues acessing offline registry using another tools.

 

I do not know if the message from clonedisk was a error, but does not seem to be an 'ok' EMaRr.gif 



#436 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1937 posts
  • Location:Nantes - France
  •  
    France

Posted 21 April 2014 - 07:55 PM

Sorry by the late reply, erwan. I'm not having time to do the needed testing lately...

 

Running Clonedisk from a read/write media, a flash drive. Had no issues acessing offline registry using another tools.

 

I do not know if the message from clonedisk was a error, but does not seem to be an 'ok' EMaRr.gif

 

Hi David,

 

Get me a screenshot if you can.

 

Thanks for the feedback.

 

Regards,

Erwan


  • David Lynch likes this

#437 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1937 posts
  • Location:Nantes - France
  •  
    France

Posted 21 April 2014 - 08:03 PM

CloneDisk now supports the new Windows 8.1 update 1 wimboot flag.

 

See a discussion here or here.

Microsoft page here.

 

Scenario:

 

1-Make a WinPE out of the Windows 8.1 x86 update 1 iso (I used QuickPE)

2-Boot onto this WinPE 

3-Capture a clean installation (Win 8.1 or Win 8.1 U1) using the wimboot option (ideally to another partition)

4-Format C drive

5-Apply your WIM file (from step 3) using the wimboot option

 

Note : I had to perform a bcdboot c:\windows /s c:\ after step 5. Not sure if this is related to my installation (no reserved partition).

 

-My clean install is around 13 GB.

-My wim file is around 7 GB.

-After step 5, i have "only" 3.5 GB occupied on drive C. of which near 3 gigs are taken by hyberfil.sys, pagefile.sys, swapfile.sys.

 

Regards,

Erwan

Attached Thumbnails

  • wimboot_1.png

  • David Lynch likes this

#438 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 13694 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 25 April 2014 - 11:55 AM

Erwan,

while (and when) you are at it, with a low-low level priority, can you see, since you added the Volume Serial change to add something to view (and change) Disk Signature?

BTW, and possibly useful, since you added grub4dos booting:

http://reboot.pro/to...nsically-sound/

http://reboot.pro/to...sound/?p=177728

 

:duff:

Wonko



#439 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1937 posts
  • Location:Nantes - France
  •  
    France

Posted 26 April 2014 - 02:08 PM

Done in latest version.

 

I could have patched the bytes in the MBR but as I am playing with MS IOCTL_DISK_SET_DRIVE_LAYOUT_EX ioctl these days I took this road and it works all the same .

 

Regards,

Erwan

 

 

Attached Thumbnails

  • clonedisk_diskid.png


#440 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1937 posts
  • Location:Nantes - France
  •  
    France

Posted 26 April 2014 - 05:05 PM

At long last, I was able to compile CloneDisk for X64 environements as well.

My drive was to use it from X64 WinPE's.

 

You can download it here.

 

For now the X32 and the X64 as developped under a different version of delphi.

My personal dev computer not being migrated yet to X64, it means the X32 will always be more up to date for the next weeks.



#441 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1937 posts
  • Location:Nantes - France
  •  
    France

Posted 29 April 2014 - 07:42 PM

Following a discussion here, around imaging speed, I made a small change (increased buffer size) which on my initial tests shows a 30% speed increase when backuping/dumping a disk to an image file.

 

Does not show much change when restoring or cloning thus.

 

At some point, the buffer size could be a "hidden" parameter as I suspect different setups may be optimized for different buffer sizes.

 

And I believe there is still some little room left for improvement around speed.


  • David Lynch likes this

#442 misty

misty

    Silver Member

  • Developer
  • 703 posts
  •  
    United Kingdom

Posted 03 May 2014 - 05:06 PM

Discussion continued from here

@erwan.l
I really like the recent changes you have made. The disk imaging (Clone > Backup to Image) was fast in a recent test I did in a virtual machine and it's really useful to be able to remove unneeded features from the UI.

Is it possible to add the md5 checksum for a disk? This is very useful for verification purposes in Forensic work.

Is the Virtual Disk > MD5 Hash feature for the file selected, or the contents of the file (e.g. the MD5 checksum of the mounted disk image - useful for verifying that the disk image and disk contents are identical).

Now for some (hopefully) constructive critism. If the default settings are used (e.g. nothing is removed from the UI) then it's very easy to accidentally select an option when using the scroll buttons. As a (potentially dangerous) example if I select the Disk menu and then keep clicking on the bottom arrow to scroll through the Disk menu options I keep clicking on Wipe Disk when the arrow disappears.

Regards,

Misty

#443 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1937 posts
  • Location:Nantes - France
  •  
    France

Posted 04 May 2014 - 04:16 PM

Discussion continued from here

@erwan.l
I really like the recent changes you have made. The disk imaging (Clone > Backup to Image) was fast in a recent test I did in a virtual machine and it's really useful to be able to remove unneeded features from the UI.

Is it possible to add the md5 checksum for a disk? This is very useful for verification purposes in Forensic work.

Is the Virtual Disk > MD5 Hash feature for the file selected, or the contents of the file (e.g. the MD5 checksum of the mounted disk image - useful for verifying that the disk image and disk contents are identical).

Now for some (hopefully) constructive critism. If the default settings are used (e.g. nothing is removed from the UI) then it's very easy to accidentally select an option when using the scroll buttons. As a (potentially dangerous) example if I select the Disk menu and then keep clicking on the bottom arrow to scroll through the Disk menu options I keep clicking on Wipe Disk when the arrow disappears.

Regards,

Misty

 

MD5 Checksum on a disk? You mean on a physical disk or volume?

Need to check this but a handle is a handle so I guess pointing to a file or device should not make much change.

 

To answer your question, the current MD5 hash in CloneDisk works against the content of the file from first byte to last byte.

Hence taking some time on big files

 

About the CloneDisk GUI, indeed I have been reported a few times already that scrolling down and up the outlookbar could sometimes leads to error.

Will look into that !

 

/Erwan



#444 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1937 posts
  • Location:Nantes - France
  •  
    France

Posted 06 May 2014 - 04:31 PM

Two quick "How to backup" with CloneDisk using QuickPE (or any WinPE).

 

This one using a windows share.

This one using DevIO (from Olof) : a method which I like a lot for its speed.



#445 alacran

alacran

    Frequent Member

  • Advanced user
  • 481 posts
  •  
    Mexico

Posted 07 May 2014 - 01:09 AM

@ erwan.l

 

Two quick "How to backup" with CloneDisk using QuickPE (or any WinPE).

 

This one using a windows share.

This one using DevIO (from Olof) : a method which I like a lot for its speed.

 

The two (one) links are to same page.



#446 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1937 posts
  • Location:Nantes - France
  •  
    France

Posted 07 May 2014 - 09:02 AM

@ erwan.l

 

 

The two (one) links are to same page.

 

Thanks ! fixed.



#447 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1937 posts
  • Location:Nantes - France
  •  
    France

Posted 07 May 2014 - 05:40 PM

Discussion continued from here

@erwan.l
Now for some (hopefully) constructive critism. If the default settings are used (e.g. nothing is removed from the UI) then it's very easy to accidentally select an option when using the scroll buttons. As a (potentially dangerous) example if I select the Disk menu and then keep clicking on the bottom arrow to scroll through the Disk menu options I keep clicking on Wipe Disk when the arrow disappears.

Regards,

Misty

 

I took your remark into considerations.

Latest version (2.1.8) have been resized to 640*480 and the main screen has been reshaped so that there is no scrollbar in the outlook bar.

More over, in the worse case scenario where a user would click a wrong button by accident, there is always a confirmation asked to the user.

 

YM3uUx1.png


  • David Lynch likes this

#448 misty

misty

    Silver Member

  • Developer
  • 703 posts
  •  
    United Kingdom

Posted 08 May 2014 - 09:12 PM

@erwan.l
I've been distracted with testing and haven't checked this new version out yet - thanks however for the UI changes.

My recent tests on WinPE RAM requirements included a number of tests running Clonedisk on WinPE in low RAM virtual systems - see here for the results.

Regards,

Misty

#449 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1937 posts
  • Location:Nantes - France
  •  
    France

Posted 10 May 2014 - 04:46 PM

Clonedisk updated to version 2.2.

 

ChangeLog since previous (2.1) version :

 

modified : IOCTL_DISK_GET_DRIVE_LAYOUT_ex before IOCTL_DISK_SET_DRIVE_LAYOUT_ex when deleting/creating a part
added : check disk, next to format using fmifs.dll
added : change partition type (in partition editor)
added : change partition boot indicator (in partition editor)
added : support for wimboot (windows 8.1 update 1 option)
added : change diskid (in partition editor)
changed : increased buffersize from 64k to 512k to speed backuping process
changed : write win8.1u1 mbr and bs
added : md5 hash for file
added : hide_advanced boolean param in config.ini (options section)
added : can take screenshot of the clonedisk window
added : can remove an outlookbar button or page via the config.ini (outlookbar section)
added : can inject any MBR boot code (in mbr editor)
changed : all windows desktopcenter to screencenter
added : patch bytespersec / sectorsperclus / secreserved (in boot sector editor)
changed : bootsector patches for MSDOS5.0 (fat/fat32) as well (was only for oemid=NTFS) (in boot sector editor)
changed : changed res to 640*480
changed : one pagecontrol removed in main screen for more space
changed : disk/partition properties rewiewed (no access to mbr/bs anymore, all windows api)
added : disk/part properties in a separate window
changed : one tabsheet removed in advanced screen (disk/part properties)
added : double click on the main listview will also display the disk/part properties window
added : change diskid in (mbr editor)
changed : using IOCTL_DISK_GET_LENGTH_INFO in main screen rather than disk geometry to retrieve (correct) disk size
added : user confirmation on disk online/offline/rw/ro
added : display disk (firmware) serial number (in disk properties)
added : display disk cache information (in disk properties)
added : display disk attributes (in disk properties)
changed : update int13 unit with IOCTL_DISK_GET_DRIVE_GEOMETRY_EX instead of IOCTL_DISK_GET_DRIVE_GEOMETRY
changed : moved most disk management (GET) functions to a separate unit



#450 erwan.l

erwan.l

    Gold Member

  • Developer
  • 1937 posts
  • Location:Nantes - France
  •  
    France

Posted 13 May 2014 - 07:05 PM

Latest version (2.2.1) can backup/restore to/from EWF (encase file format).

 

For now the main benefits (to me) are

-the compression (at the expense of speed thus)

-it can be mounted later on

-it can be browsed later one

Later on, I could see other benefits :

-headers / metadatas such as author, os name, os build, description, etc

-md5/sha1

-multi threading (to get more speed)

...

 

Side note :

When imaging a physical drive, you better zeroed out the unused clusters.

 

Practical example : 

I had a 4GB usb key with 256MB datas on it which I have not fully formated for a long time : EWF backup file was 3.2 GB.

I have wiped it, done my backup again : EWF backup file was < 256MB.

 

If anyone got a tool name in mind which can zeroed out the unused clusters without having to format...

 

Feedback welcome.

 

OrltnPT.png






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users