Scriptinterface Product manual

Scriptinterface 
Sector-based imaging functions

clone device
With this function you can clone a device and all its saved data without creating image files. The device will be saved directly and without compression on another device. A device can be a partition, a volume or an entire disk.

Parameters

clone_type

  • { devicename | driveletter | drivenumber | | serialnumber | begin }
  • { target_devicename | target_driveletter | target_drivenumber | target_serialnumber | target_begin }
  • [ignored_file_pattern | ignored_file]
  • [ driveletter_to_set ]
  • [ force_dismount | snapshot | vss ]
  • [ ignored_read_errors ]
  • [ set_bootable_partition_bootable ]
  • [ clear_target_drive | append_on_target_drive ]
  • [ chs_alignment ]
  • [ write_data_directly ]
  • [ automatically_checkdisk ]
  • [ overwrite_target_data ]
  • [ ignore_snapshot_cache_overflow ]
  • [automatically_convert_multi_disk_volumes]
  • [automatically_create_target_drive_like_source_drive]
  • [ fill_empty_blocks ]

Notes

Important!
By using the parameter "clear_target_drive", all drives on the target drive will be deleted and overwritten with the data of the clone.

When cloning a hard disk with an MBR (Master Boot Record), the "serial number" of the target hard disk will be converted to the serial number contained in the MBR. Under certain conditions, this can lead to encrypted systems being identified as defective.

When cloning, it’s possible that the drive’s properties will not be automatically applied.Under the "used sector" cloning method, encrypted drives able to be read and displayed by the current operating system will be created on the target hard disk unencrypted. The option "direct forensic sector" must be selected to apply the drive’s properties.

Example
<command name="clone device">
<clone_type>used sector image</clone_type>
<ignored_read_errors>yes</ignored_read_errors>
<target_drivenumber>2</target_drivenumber>
<drivenumber>1</drivenumber>
</command>
<command name="clone device">
<clone_type>forensic sector image</clone_type>
<target_drive_number>2</target_drive_number>
<driveletter>E</driveletter>
<driveletter_to_set>I</driveletter_to_set>
<driveletter>F</driveletter>
</command>

convert image

Converts an existing image file in which the following settings are possible:

  • Change the compression or encryption of an existing image
  • Merge images of the same kind to form a new image, also incremental image
  • Split the image
  • Extract certain partitions of the image and image them separately

Parameters

  • compression_type
  • encryption_type
  • new_image_name
  • new_device_type
  • device_type
  • image_name
  • [ new_password ]
  • [ password ]
  • [ comments ]
  • [ignore_data_modification ]
  • [ max_image_size ]
  • { image_object_id | image_driveletter | image_drivenumber | image_serialnumber | image_begin | all_sources }
  • [ uncompressed_file ]
  • [ automatically_validate_image ]
  • [ automatically_overwrite_image ]
  • [ ignore_data_modification ]
  • [ target_image_type ]
Note
The original image file remains intact and will not be modified. A new image file will be created with the selected settings.

Example
<command name="convert image">
<encryption_type>AES 192</encryption_type>
<new_device_type>filesystem</new_device_type>
<new_image_name>c:oodiconvert.omg</new_image_name>
<device_type>filesystem</device_type>
<image_name>C:OODIImage_I.omg</image_name>
<all_sources>yes</all_sources>
<new_password>password</new_password>
<max_image_size>750</max_image_size>
</command>
<command name="convert image">
<compression_type>LZNT1 standard</compression_type>
<new_device_type>filesystem</new_device_type>
<new_image_name>c:oodiconvert2.omg</new_image_name>
<device_type>filesystem</device_type>
<image_name>C:OODIImage_I.omg</image_name>
<image_object_id>6</image_object_id>
<comments>extract volume I</comments>
<max_image_size>-1</max_image_size>
</command>

create image

Creates an image of one or more drives of one or more hard disks.

Parameters

  • image_type
  • compression_type
  • encryption_type
  • checksum_type
  • device_type
  • image_name
  • [ password ]
  • [ comments ]
  • [ max_image_size ]
  • [ force_dismount | snapshot | vss]
  • { devicename | driveletter | drivenumber | serialnumber | begin | system_volume |
    data_volumes }
  • [ ignored_file_pattern | ignored_file ]
  • [ uncompressed_file ]
  • [ ignored_read_errors ]
  • [ ignore_invalid_free_size_appointment ]
  • [ automatically_validate_image ]
  • [ automatically_overwrite_image ]
  • [ target_image_type ]
  • [ ignore_snapshot_cache_overflow ] 
  • [ automatically_convert_to_vhd ]
Note
When the maximum file size of the target drive's file system is reached or the target drive is full, the image file will be automatically split unless there's a maximum size set for it.

Example
<command name="create image">
<image_type>used sector</image_type>
<compression_type>LZNT1 standard</compression_type>
<device_type>filesystem</device_type>
<image_name>c:OODIimage20071127.omg</image_name>
<ignored_read_errors>yes</ignored_read_errors>
<driveletter>E</driveletter>
<driveletter>F</driveletter>
<max_image_size>-1</max_image_size>
<ignored_file>pagefile.sys</ignored_file>
<ignored_file>hiberfil.sys</ignored_file>
</command>
<command name="create image">
<image_type>forensic sector</image_type>
<compression_type>LZNT1 standard</compression_type>
<encryption_type>AES 128</encryption_type>
<checksum_type>none</checksum_type>
<device_type>filesystem</device_type>
<image_name>c:OODIimage20071128.omg</image_name>
<ignored_read_errors>yes</ignored_read_errors>
<drivenumber>1</drivenumber>
<password>PASSWORT</password>
<comments>complete forensic image</comments>
<max_image_size>-1</max_image_size>
<ignored_file>pagefile.sys</ignored_file>
<ignored_file>hiberfil.sys</ignored_file>
</command>

create incremental

Creates an incremental image.An image will be created which contains only the changes made to a selected existing image.

Parameters

  • device_type
  • image_name
  • compression_type
  • encryption_type
  • new_image_name
  • new_device_type
  • [ password ]
  • [ new_password ]
  • [ comments ]
  • [ max_image_size ]
  • [ force_dismount | snapshot | vss]
  • [ hash_unchanged_data ]
  • [ ignored_file_pattern | ignored_file ]
  • [ignore_data_modification ]
  • [ ignored_read_errors ]
  • [ ignore_invalid_free_size_appointment ]
  • [ automatically_validate_image ]
  • [ automatically_overwrite_image ]
  • [change_initial_condition ]
  • [target_image_type ]
  • [ ignore_snapshot_cache_overflow ]
Note
If the parameter „hash_unchanged_data“ with „true“ or „yes“ is applied during the imaging process of the incremental image, this incremental image can be used as the base image for successive incremental images. You will otherwise require all previous images to create a new incremental image. The parameter "ignored_file" represents an extension to existing ignored files on the base image.

Example
<command name="create incremental">
<device_type>filesystem</device_type>
<image_name>C:OODIImage_I.omg</image_name>
<compression_type>LZNT1 standard</compression_type>
<new_device_type>filesystem</new_device_type>
<new_image_name>c:oodiIncrement_Image_I.omg
</new_image_name>
<hash_unchanged_data>yes</hash_unchanged_data>
<ignored_read_errors>yes</ignored_read_errors>
<max_image_size>-1</max_image_size>
<ignored_file>pagefile.sys</ignored_file>
<ignored_file>hiberfil.sys</ignored_file>
</command>

dismount image

Unmounts a mounted image file as a virtual drive.

Parameters

  • { devicename | driveletter | drivenumber | all_sources }

Example

<command name="dismount image">
<drivenumber>3</drivenumber>
</command>

mount image

Mounts an image file as a virtual drive.

Parameters

  • device_type
  • image_name
  • [ password ]
  • { image_object_id | image_driveletter | image_drivenumber | image_begin | all_sources }
  • [ driveletter_to_set ]
Notes
Changes such as adding or deleting files are not possible on image files. When mounting the image of an entire drive, it’s not possible to assign any drive letters.

When mounting an entire hard disk, the original layout will be displayed, i.e., it will be identified by operating system partitions not contained in the image file. These drives, partitions/volumes are not formatted and cannot be accessed using, for example, Windows Explorers.

Example
<command name="mount image">
<device_type>filesystem</device_type>
<image_name>C:OODIImage_I.omg</image_name>
<image_object_id>1</image_object_id>
</command>
<command name="mount image">
<device_type>filesystem</device_type>
<image_name>C:OODIImage_I.omg</image_name>
<image_driveletter>F</image_driveletter>
<password>passwort</password>
<driveletter_to_set>I</driveletter_to_set>
</command>

restore image

Restores data from an image file onto one or more drives.

Parameters

  • device_type
  • image_name
  • [ password ]
  • { target_devicename | target_driveletter | target_drivenumber | target_serialnumber | target_begin }
  • [ driveletter_to_set ]
  • { image_object_id | image_driveletter | image_drivenumber | image_begin }
  • [ set_bootable_partition_bootable ]
  • [ clear_target_drive ]
  • [ fill_empty_blocks ]
  • [ append_on_target_drive ]
  • [ chs_alignment ]
  • [ ignored_read_errors ]
  • [ignore_data_modification ]
  • [ write_data_directly ]
  • [ overwrite_target_data ]
  • [automatically_convert_multi_disk_volumes] 
  • [automatically_create_target_drive_like_source_drive]

Notes

Important!
During the restoration process, the image will overwrite your target drive with the drive data saved on the image. All data saved on the target drive is thereby lost and replaced by that of the image. If the parameter "clear_target_drive" was set to true or yes, a confirmation dialogue about deleting the target volume system will not appear!

If the source hard disk is still contained in the current system and the image will not be restored on it, the serial number of the target hard disk will be converted into the serial number of a hard disk with an MBR. Under certain conditions, this can lead to encrypted systems being identified as defective.

Example
<command name="restore image">
<device_type>filesystem</device_type>
<image_name>C:OODIImage_I.omg</image_name>
<target_drivenumber>2</target_drivenumber>
<image_drivenumber>1</image_drivenumber>
<clear_target_drive>yes</clear_target_drive>
</command>
<command name="restore image">
<device_type>filesystem</device_type>
<image_name>C:OODIImage_I.omg</image_name>
<target_driveletter>I</target_driveletter>
<image_object_id>8</image_object_id>
</command>

validate image

This function checks the structural integrity of an image file. It will examine whether the required logical structure is intact or undamaged. In addition, encrypted and/or compressed images will be checked to determine if decryption or decompression is possible without error.

Parameters

  • device_type
  • image_name
  • [all_splits]
  • [ password ]
  • [image_object_id]
  • [ignore_data_modification ]

Example
<command name="validate image">
<device_type>filesystem</device_type>
<image_name>c:OODIimage20071127.omg</image_name>
<all_splits>yes</all_splits>
</command>