X-Ways Replica: Drive Cloning and Drive Imaging under DOS
X-Ways Replica 2.36
A forensic examination usually should not be performed on the original subject drive. X-Ways Replica is an easy-to-use tool that is able to create a clone or image of an entire hard drive or individual hard drive partitions (with any file system). The clones and images are forensically sound, exact bit-by-bit copies, including all unused space and slack space. This enables you to perform the examination on the clone or an image instead. A full log file is optionally written for documentation purposes. ATA-protected areas (HPAs) are automatically detected and can be disabled prior to cloning. ATA password protection can be lifted knowing the password.
Most Windows environments would access the original drive without asking, once newly attached, thereby e.g. altering the last access dates of some files on the original drive. This can be avoided using X-Ways Replica, as it is DOS-based (runs in plain DOS mode), like on a DOS floppy boot disk. An MS-DOS startup disk can be created simply by formatting a floppy disk with the Windows Explorer (except in Windows 2000).
X-Ways Replica is not available any more, except on request to licensed users of Evidor and X-Ways Forensics (Replica 1.3 also to owners of a specialist license for WinHex). If you are already a holder of a specialist or forensic license of WinHex, please query your WinHex license status here to receive a copy of X-Ways Replica. Otherwise, please consider ordering a forensic WinHex license (=X-Ways Forensics) or Evidor. Please note that X-Ways Replica is not actively maintained any more.
Hints on usage:
For drive imaging, you may specify the maximum file size at which the output file will be split and another segment will be begun. This is necessary on FAT16 and FAT32 file systems with their file size limitations (2 GB or 4 GB, resp.), but also useful to prepare segments ready for backup on CD (650 MB). WinHex is able to interpret all image file segments as a single large image file if they are located in the same folder.
You may have X-Ways Replica write a log file silently instead of prompting you how to continue in case bad sectors are encountered on the source drive. The log file option is generally useful to keep exact records on which sectors/partitions were cloned, when (date and time), which sectors or partitions were selected as the destination, which sectors were copied successfully, which sectors were bad, etc.
The source and the destination hard drive must both be attached to the same system and recognized by the BIOS. The destination must be the same size or larger than the source. If this is not the case, Replica will warn you. During the cloning process you may press Esc or Ctrl+Break to abort. Remember, you must use great caution when selecting the destination drive, as all data on that drive will be lost.
Writing images on remote network drives is possible when booting with the Universal TCP/IP Network Bootdisk (we are not aware yet of a prove that it is forensically sound). After removing their floppy disk, one can insert the one with Replica and use it to create the image on a remote computer, because that remote drive will become available as a drive letter under DOS.
USB mass storage devices can be accessed with Replica if you have installed the Panasonic v2.20 ASPI Manager for USB mass storage devices as well as the Moto Hairu Mass Storage ASPI driver, which enable DOS support for USB devices compliant to either USB 1.x or USB 2.0 specification.
To install these drivers under DOS, you need to copy these drivers into the directory where config.sys resides and make changes to your config.sys file as follows:
rem load Panasonic's universal USB controller
devicehigh=USBASPI.SYS /v /w
rem load aspi mass storage driver for USB hard drives and compact flash memory cards
2.36: Clarified message after unlocking an HPA because a reboot might be necessary.
2.35: An error was fixed in the MD5 implementation for data in excess of 256 MB.
2.32: Bug fixed that tried to unlock password-protected ATA drives even when in frozen security mode
2.31: Bug fixed that accepted using arrow keys in the partition selection menu
2.3: ATA password-protected drives can be unlocked with
user or master password until system reboot if password is known.
MFS/HFS, HPFS partitions are recognized as such.
Available drive letters are listed when entering source or destination image filename with path.
Entering image filenames can be aborted any time by pressing ESC.
New menu font color light gray instead of blue.
2.2: Host protected areas (HPA): Reliable disabling
(unlocking) of HPAs, either volatile or non-volatile.
Ext2, Ext3, Reiser, Linux Swap, JFS, and XFS partitions are recognized as such.
Image segment numbering now starts with .001 (or non-numeric extension) instead of .000.
Up to 32 installed partitions can be displayed for selection (instead of 15 at max. before).
Copying selected sectors: Number of lines no longer limited (instead of 500 at max. before).2.13: Bug fixed that allowed negative reported disk size and erroneous reporting of HPA
2.12: Source and destination image files must have either '.000' as extension or a non-numerical extension. Segments with size 0 allowed in spanned images now.
2.11: Fixed: Some command-line parameters were not recognized starting in version 2.02.
2.1: Bug fixed that prevented images larger than 2 GB from being read.
2.02 & 2.01: Log entries are immediately written to file upon encounter of bad sectors.
2.0: Restoring an image file back to a disk. Calculating and logging hashes of the source data. Invoking the cloning process from the command line by means of parameters, for completely unattended operation. Option to clone only selected sectors, forwards or backwards. Audible notification (beep) of bad sectors during cloning. Additional information (like manufacturer model number) about hard disks. Detection and temporary removal of host-protected areas (HPA).
1.3: Image files created read-only. More in-progress
1.2: Disk imaging (option to write to an image file)
1.0: Log file option
0.95: "Ignore always" option fixed
0.94: Ability to work with un-partitioned hard disks
0.9: First release