Diskimag


PURPOSE    OPERATION   COMMAND LINES   OPTIONS   DISKMAKE FUNTIONALITY   RELATED PROGRAMS


Author: Dan Mares, dmares @ maresware . com (you will be asked for e-mail address confirmation)
Portions Copyright © 1998-2021 by Dan Mares and Mares and Company, LLC
Phone: 678-427-3275

Top

Purpose

This program MUST be named diskimag.exe. It has internal checks on its name, and if the program is not named properly it will not operate.

The program is designed to be used by criminal investigators needing to make a copy or copies of suspect floppy disks onto a hard drive for forensic analysis.

It can also be used to make a copy of a disk onto a hard drive which can later be restored to as many floppies as necessary.

After you have copied the contents of the disk to the hard drive, you can use the program Strsrch to search for strings in the file(s) that are created. This procedure is much faster than searching the diskette.

Diskimag is also capable of running auxiliary programs which allow you to do the following operations: catalog the files using diskcat or hash; do a logical file copy of the directory structure to a hard disk; check for a MIRROR file on the floppy; run SEEJUNK and DUMPFREE to capture all free and slack space.

The program can do a number of different operations. It can make the image. It can make a self-replicating executable (meaning the output is itself a program which can re-create the original disk.) And it can compress either the image, or the self-replicating executable. (-c option).

It can also detect and image Linux file system and MAC hi density disks.

NT Anomaly

The current version will work under NT. It will not detect disk changes when run under NT.

There is an NT/32 bit version called NTIMAGE that will not only image floppy disks, it will image zip and jazz drives when run on an NT operating system.

WIN9X Anomaly:

WIN9x buffers data differently, and often corrupts the image. Tests should be run to see if the user's WIN 9X setup exhibits this problem.


Top

Operation

The program obtains from the command line a disk drive letter (A: or B:) into which suspect floppy disks will be placed. Or, if the -A (ALL DRIVE option) is used, then the program will process disks in both the A: and B: drive. It also obtains on the command line the hard drive letter (C: or higher) and name of an output file to place the contents (image) of the floppy disk to.

The name of the output file should only contain a filename (with path if necessary) without an extension. The program creates its own unique numerical extension based on the file name. Any filename extension (if provided) is ignored. (see -b or -s option)

As each floppy disk is read, its image (track by track) is copied to the hard drive under the file name provided by the user. It generates a numerical extension beginning with 000 and increasing sequentially as more images are created.

If a single disk drive is being used, when the program finishes reading a disk, it starts emitting beeps to notify the user to replace the current disk with the next in the series (assuming you have more than one disk to copy). When the next disk is inserted into the drive, the program detects this (after a short 1-2 second delay) and begins to copy its contents to the output. If too long a time has elapsed (30 seconds) between the end of one disk operation and replacing that disk, the user will be prompted to hit a return.

Each disk is copied to a separate output file with different/unique alphanumeric extensions beginning with 000. This is where the numerical generated file extension is used. Each extension is sequentially numbered after the previous one so that each input disk results in a completely separate and unique output file name on the hard disk. (And if any of the -xh options are used, it results in unique names and directories being created). After the sequence reaches 009, it continues with A-Z, until 00Z. Then it increments to 010 and continues.


Top

Using Both Disk Drives

Both Disk Drives have been discontinued

If the -A, (ALL DISK DRIVE) option is used, the program processes the disk in drive A: first. When that disk is finished, it looks for a new disk in drive B:. If it does not find one in drive B: it looks in drive A:. The program keeps “flip flopping” drives until it finds a new disk to process, or a minute has gone by with no disk change. At that point, the program ends. (Using a "control C" at any time will abort the program). After each disk is processed, it searches again for a new disk to process, and when it finds one, processes it.

All of the options that execute other programs (-x, -h) have not been thoroughly tested with this option. Because the input drive is constantly being changed with this option, some of these other options may have problems executing correctly. You should determine if a particular option is compatible before putting it into production.

Both Disk Drives have been discontinued

 


Top

Non-standard disk formats

If the program detects a non-standard format, it attempts to determine if it is a LINUX EXT2, or MAC formatted disk. If this fails, it does some crunching and tries to determine the actual number of sectors on the disk, and the number of tracks. If it can do that, it will process the disk and make an image. However, the reverse process has not been tested and is not guaranteed to work.

If a LINUX or MAC disk is encountered and the -x or -h options were asked for, those options are immediately turned off (obviously you can’t catalog those types of disks), and NOT turned back on.

Top

Running Diskcat from within Diskimag

A -x (eXecute diskcat) option allows you to image the disk, and after the image is created it will run the diskcat program to catalog the disk files. I strongly suggest users make use of this option to provide not only a catalog of files, but a checksum for later validation purposes.

To run the -x option, you will need an ascii text file with the command line for the diskcat program. Do NOT include the word 'diskcat.'

Create a text file with all the options, filenames, etc., just as you would be entering it for the Diskcat program. Diskimag takes the file contents and sends it literally to diskcat. It automatically initiates the -I option in Diskcat. Don’t forget the -a or -O option so that the output file will be appended to. Otherwise you will lose all your outputs.

The -I disk labels option matches the filename and sequence number of the files created with Diskimag so they can be cross referenced later on. Ex., if the diskimag file is called  room1.001, then the label on the Diskcat data line will be   room1001. Diskcat puts the label at the end of the record.

A sample Diskcat command line might be: -O diskcat.out


Top

Running HASH from Within Diskimag

Option -h (execute Hash) allows you run the Hash program on each disk processed (in a similar way that the -x option does for Diskcat). It will run the Hash program to create hashes and catalog the disk files, effectively doing three steps in one (image, hash and catalog). I strongly suggest users make use of this or the Diskcat (-x) option. (Don’t use both; they are mutually exclusive.)

To run the -h option, you will need an ascii text file with the command line for the Hash program (it must NOT contain the word 'Hash'). Create a text file with all the options, filenames, etc., just as you would be entering it for the Hash program. Diskimag takes the file contents and sends it literally to Hash.

Again, don’t forget to use the -O or -a option with the output file name of the hash command line that is included in the text file provided to the -h option. A sample Hash command line might be: -O c:hashes.out


Top

Running Mxcopy from within Diskimag

An option (-z) allows you to do an XCOPY type of copy of all the logical files on the floppy to the current default output subdirectory on the hard drive.  In the current default output working directory the program creates a subdirectory with a name matching the image file name. Then, within this subdirectory, the program copies the logical file structure of the floppy disk. The unique subdirectory is created to enable you to keep track of many different disks processed at the same time. Unlike an XCOPY of the files, MXCOPY.exe copies all system and hidden files also.

Top

Checking for MIRROR files from within Diskimag

An option (-m) will attempt to detect a MIRROR file on the disk. A mirror file is useful in case the disk was recently reformatted and may still contain useful information.


This is a summary of the options:

The hash (-h) will create hashes and catalog files

The diskcat (-x) will catalog files from the floppy

The mxcopy (-z) will copy all logical files from the floppy

The seejunk (-s) will retrieve all the slack space off the floppy

The dumpfree (-f) will capture all the free space off the floppy.

The mirror (-m) will detect a previously formatted mirror file.

All of this is done at the same time, and all the output filenames are geared to match the initial Diskimag output file name.

You can also put some of this into a batch file and obtain enormous efficiency in processing floppy disks. Here is a sample of the batch file that might be used:

*************************************
@echo off
rem this is the batch file for processing floppy disks
 
diskimag -i a: -o images -x comm
a_generic_sort_program diskcat.out diskcat.srt /39:20 /17:12
strsrch -f images.* -s strings -o strsrch.out -i

rem this is the contents of the "comm" file which diskcat will execute
rem -c -aO diskcat.out
rem the generic sort program referenced is called “rpsort” and is shareware. You will need to obtain it yourself.
*************************************


Top

Command Lines

C:>diskimag -o c:imagout
(create simple output file)

C:>diskimag -i a: -o c:output_file  -1
(single disk input)

C:>diskimag a: c:output_file -b 9
(begin numbering at 10, don’t ask.)

C:>diskimag a: c:output_file -x diskcat_cmd.fle
(execute diskcat)

C:>diskimag a: c:output_file -h hash_cmd.fle
(execute hash)

C:>diskimag -A imagout -e
(make .exe out of output file)

C:>diskimag image.000 a:
(take and image.000 and replace it to a: drive)

C:>diskimag -t image.000
(transform the image.000 to an executable)


Top

Options

The program name by itself, or with -q option will obtain a help screen. (Slashes ‘/’ are allowed in place of dashes in this program.)

-i + drive     The drive is the input drive (only A: or B: are valid) where you are placing the suspect disks. Disk changed will be detected. (If this option is omitted, and no drive letter is provided, the first disk drive with a disk in it is used as the drive to image).

-A     Process disks in ALL available disk drives (assuming there are A: and B: disk drives). The system will attempt to detect which disk drive has a "new" disk in it and process that disk. The program “flip flops” from drive to drive until it finds a"new" disk to process.

-o + dr:output_filename    Output filename is the complete drive and filename (without extension) you want the output to be placed into. If you are running the program from a hard disk drive, it will be the default. Otherwise a drive must be included in the filename. Drive A: and B: are never allowed to be output drives. Output file names are NEVER overwritten. If a file of the same name and extension is found, then a new extension is used with the next higher free extension sequence. This allows multiple sessions to be run without overwriting existing files. This output_filename is used to generate filenames used with the -zh options.

NOTE on using -i and -o    The program is generally smart enough that you can merely use the drive letter (A:) and an output file name (outputname) without any option designators (-i -o). The program first searches for a file of the name outputname. If it doesn’t find one, it naturally assumes this is to be a new output name. So, it generates an extension and creates the output name. Naturally, if it has to create an output, that must mean the A: stands for the input drive where the disks are located. So you need to have a disk in the drive. Actually the program will work fine with merely an output name. It will search for a disk in a drive. Now, if the output name belongs to a valid file (ex., image1.000), and if you didn't use a -i or -o, then it assumes that because this file exists, it must be input. In that case, the A: must be the output, which means it will attempt to write the file to the diskette. So the simplest command line of all is:

C:>diskimag output

-c    Compress the output file. Depending on the contents of the disk this can create a very small file. A completely empty disk will generate a file of about 9K in size. Caution should be used with this option. If you ever lose the Diskimag program, you will never get the disk contents uncompressed. The compression format is not standard. Only use this option if you have control of the original disk.

-e    Make the output a self-replicating executable. A driver program of about 160K is prepended to the image which will create an .exe file. This resulting .exe is a stand-alone, self-replicating copy of the original diskette. If necessary, the tail end of the file can be manually extracted to obtain the original image. Use the -e options if you want to transport a self-replicating copy of the disk. (NOTE: If this option is used, only one input disk is allowed because you can’t sequence the output extension when it is assumed to be .exe).

-C    Create an output file with basename of the -o option, which contains the final CRC of the diskette being imaged. If more than one diskette is imaged with same basename (-o xxx), then this file contains references to all the diskette CRCs.

-m    The -m (MIRROR) option will attempt to detect if the floppy disk being imaged has a (M)irror file on it. If it does, a message is placed in the diskimag.err file.

-n + no   Replace the no. with the number of disks you wish to create from the image. The program will prompt you for new disks until the specified number of output disks is reached. It does NOT format destination disks, so make certain they are the correct size and are pre-formattted. (The NT version will do a format.)

-b + extension number     Begin the next output file with this extension number. The number MUST be 2 or higher. You CANNOT enter a 0 or 1.

-s     Normally the outputs are sequenced using alpha numeric from 000-00Z. If you do NOT want alpha characters showing up in the extension of the output file name, use the -s option. This instructs the program to sequence only numeric.

-x + filename of the text file containing the command line for the diskcat program    Do NOT include the word 'diskcat.' Diskcat will execute the command line found in this file. Sample file contents: (ex., -c -o diskcat.out ). Note: Only one of the two (-x or -h) options can be run at any one time.

-h + filename of the text file containing the command line for the Hash program    Do NOT include the word 'hash.' Hash will execute the command line found in this file. Sample file contents: (ex., -o hash.out ). Note: Only one of the two (-x or -h) options can be run at any one time.

-t + imagefilename.xxx    If you have an image file that was previously created, (ex., image.000), you can turn that into a self-replicating .exe with this command. The -t option transforms an image to a self-replicating executable. Use this option if you forgot to use the -e when the images were created. This option is to be used only by itself and not combined with any others.

-s    Run seejunk.exe and capture slack to a file with extension (.jnk)

-f    Run dumpfree.exe and capture free space to a file with extension (.dmp)

-z    Run mxcopy.exe, make a subdirectory of the current directory on the hard drive, and do a logical file copy of the floppy disk tree structure to the new subdirectory.

-1    If you only have one disk to process, the -1 is used to automatically stop without checking for disk changes. [This is the number 'one(1)', not the letter 'L.']

-N     If you just want to test the program and don’t want to take the time to image the diskettes, use this option. It doesn’t create images, just empty file numbers.


Top

Diskmak Function

This is not really a separate program. It is just an added function of the Diskimag program. If the input file name found on the command line is a valid file, it is assumed to be an image file. If this is the case, the program automatically takes the contents of the file and puts it on the diskette. Many of you who are familiar with the the old Diskmak program are familiar with this operation. It has now been combined into one program.

Similarly, the outdated IMAG2EXE and IMAG2CMP programs have been also included in this new Diskimag program. So you have all the functionality of 4 programs in one.


Top

Related Programs

Disk crc

Diskcat

Mxcopy

Top