clone device |
|
With this function you can clone a device and all its saved data without creating image files. The device will be saved directly and without compression on another device. A device can be a partition, a volume or an entire disk. |
|
Parameters |
|
clone_type
|
|
Notes |
|
Important! When cloning a hard disk with an MBR (Master Boot Record), the "serial number" of the target hard disk will be converted to the serial number contained in the MBR. Under certain conditions, this can lead to encrypted systems being identified as defective. When cloning, it’s possible that the drive’s properties will not be automatically applied.Under the "used sector" cloning method, encrypted drives able to be read and displayed by the current operating system will be created on the target hard disk unencrypted. The option "direct forensic sector" must be selected to apply the drive’s properties. |
|
Example |
|
<command name="clone device"> <clone_type>used sector image</clone_type> <ignored_read_errors>yes</ignored_read_errors> <target_drivenumber>2</target_drivenumber> <drivenumber>1</drivenumber> </command> <command name="clone device"> <clone_type>forensic sector image</clone_type> <target_drive_number>2</target_drive_number> <driveletter>E</driveletter> <driveletter_to_set>I</driveletter_to_set> <driveletter>F</driveletter> </command> |
convert image
|
|
Converts an existing image file in which the following settings are possible:
|
|
Parameters |
|
|
Note The original image file remains intact and will not be modified. A new image file will be created |
|
Example |
|
<command name="convert image"> <encryption_type>AES 192</encryption_type> <new_device_type>filesystem</new_device_type> <new_image_name>c:oodiconvert.omg</new_image_name> <device_type>filesystem</device_type> <image_name>C:OODIImage_I.omg</image_name> <all_sources>yes</all_sources> <new_password>password</new_password> <max_image_size>750</max_image_size> </command> <command name="convert image"> <compression_type>LZNT1 standard</compression_type> <new_device_type>filesystem</new_device_type> <new_image_name>c:oodiconvert2.omg</new_image_name> <device_type>filesystem</device_type> <image_name>C:OODIImage_I.omg</image_name> <image_object_id>6</image_object_id> <comments>extract volume I</comments> <max_image_size>-1</max_image_size> </command> |
create image |
|
Creates an image of one or more drives of one or more hard disks. Parameters |
|
|
Note |
|
When the maximum file size of the target drive's file system is reached or the target drive is full, the image file will be automatically split unless there's a maximum size set for it. |
|
Example |
|
<command name="create image"> <image_type>used sector</image_type> <compression_type>LZNT1 standard</compression_type> <device_type>filesystem</device_type> <image_name>c:OODIimage20071127.omg</image_name> <ignored_read_errors>yes</ignored_read_errors> <driveletter>E</driveletter> <driveletter>F</driveletter> <max_image_size>-1</max_image_size> <ignored_file>pagefile.sys</ignored_file> <ignored_file>hiberfil.sys</ignored_file> </command> <command name="create image"> <image_type>forensic sector</image_type> <compression_type>LZNT1 standard</compression_type> <encryption_type>AES 128</encryption_type> <checksum_type>none</checksum_type> <device_type>filesystem</device_type> <image_name>c:OODIimage20071128.omg</image_name> <ignored_read_errors>yes</ignored_read_errors> <drivenumber>1</drivenumber> <password>PASSWORT</password> <comments>complete forensic image</comments> <max_image_size>-1</max_image_size> <ignored_file>pagefile.sys</ignored_file> <ignored_file>hiberfil.sys</ignored_file> </command> |
create incremental |
|
Creates an incremental image.An image will be created which contains only the changes made to a selected existing image. |
|
Parameters |
|
|
Note |
|
If the parameter „hash_unchanged_data“ with „true“ or „yes“ is applied during the imaging process of the incremental image, this incremental image can be used as the base image for successive incremental images. You will otherwise require all previous images to create a new incremental image. The parameter "ignored_file" represents an extension to existing ignored files on the base image. |
|
Example |
|
<command name="create incremental"> <device_type>filesystem</device_type> <image_name>C:OODIImage_I.omg</image_name> <compression_type>LZNT1 standard</compression_type> <new_device_type>filesystem</new_device_type> <new_image_name>c:oodiIncrement_Image_I.omg </new_image_name> <hash_unchanged_data>yes</hash_unchanged_data> <ignored_read_errors>yes</ignored_read_errors> <max_image_size>-1</max_image_size> <ignored_file>pagefile.sys</ignored_file> <ignored_file>hiberfil.sys</ignored_file> </command> |
dismount image |
|
Unmounts a mounted image file as a virtual drive. |
|
Parameters |
|
|
Example |
|
<command name="dismount image"> <drivenumber>3</drivenumber> </command> |
mount image |
|
Mounts an image file as a virtual drive. |
|
Parameters |
|
|
Notes |
|
Changes such as adding or deleting files are not possible on image files. When mounting the image of an entire drive, it’s not possible to assign any drive letters. When mounting an entire hard disk, the original layout will be displayed, i.e., it will be identified by operating system partitions not contained in the image file. These drives, partitions/volumes are not formatted and cannot be accessed using, for example, Windows Explorers. |
|
Example |
|
<command name="mount image"> <device_type>filesystem</device_type> <image_name>C:OODIImage_I.omg</image_name> <image_object_id>1</image_object_id> </command> <command name="mount image"> <device_type>filesystem</device_type> <image_name>C:OODIImage_I.omg</image_name> <image_driveletter>F</image_driveletter> <password>passwort</password> <driveletter_to_set>I</driveletter_to_set> </command> |
restore image |
|
Restores data from an image file onto one or more drives. |
|
Parameters |
|
|
Notes |
|
Important! During the restoration process, the image will overwrite your target drive with the drive data saved on the image. All data saved on the target drive is thereby lost and replaced by that of the image. If the parameter "clear_target_drive" was set to true or yes, a confirmation dialogue about deleting the target volume system will not appear! If the source hard disk is still contained in the current system and the image will not be restored on it, the serial number of the target hard disk will be converted into the serial number of a hard disk with an MBR. Under certain conditions, this can lead to encrypted systems being identified as defective. |
|
Example |
|
<command name="restore image"> <device_type>filesystem</device_type> <image_name>C:OODIImage_I.omg</image_name> <target_drivenumber>2</target_drivenumber> <image_drivenumber>1</image_drivenumber> <clear_target_drive>yes</clear_target_drive> </command> <command name="restore image"> <device_type>filesystem</device_type> <image_name>C:OODIImage_I.omg</image_name> <target_driveletter>I</target_driveletter> <image_object_id>8</image_object_id> </command> |
validate image |
|
This function checks the structural integrity of an image file. It will examine whether the required logical structure is intact or undamaged. In addition, encrypted and/or compressed images will be checked to determine if decryption or decompression is possible without error. |
|
Parameters |
|
|
Example |
|
<command name="validate image"> <device_type>filesystem</device_type> <image_name>c:OODIimage20071127.omg</image_name> <all_splits>yes</all_splits> </command> |