Saturday, February 21, 2009

Macrium Reflect: free drive imaging software

I deal a lot at work with drive imaging.

I prefer using Microsoft’s ImageX tool.  Clonezilla is also used as an alternative imaging method. I find it useful to give our techs multiple methods to image a system.  This allows flexibility if hardware issues make one method less reliable or problematic (usually due to available system RAM).

Both are “file based” imaging tools rather than “sector based” tool.  Therefore they aren’t useful for forensic drive imaging, but that’s another post.

Anyway, I came across Macrium Reflect FREE Edition which looked interesting as it contains some neat options:

  • Create a disk image whilst running Windows using Microsoft Volume Shadow copy Service (VSS).
  • Image to Network, USB, FireWire drives and DVD.
  • Built in scheduler.
  • 32 bit and native 64 bit versions.
  • Industry leading compression levels and speed.
  • Linux based Rescue CD with Network access and full GUI. Only 6.5MB in size!
  • Built in CD/DVD packet writing engine. Supports packet writing to DVD DL media with Windows Vista.
  • HTML log files.
  • Being able to image running systems, to a network share, on a schedule sounds pretty cool.  It looks like it also falls into the “file-based” imaging category of image software.

    Restoration can be done with either a Linux of WinPE based disk.  The tool has a wizard to assist you in the process.

    There is a nice review here where I learned about the tool:

    It reminded me quite a bit of the DriveImage XML Backup software I also am familiar with.

    Has anyone used or formed an opinion on Macrium Reflect?  If time allows, I plan to test it out next week.

    For a big list of other disk imaging software check out this GSD post:

    FYI,

    --Claus V.

    6 comments:

    Joe said...

    Only reason I never switched to Macrium Reflect Free Edition is because it is not licensed for business use. Bummer -- never even tried it for this reason.

    In Windows, I've been using DriveImage XML version 1.31, the last free version licensed for commercial use. Works great portable, and can copy live drives using VSS. Interface is a bit wonky, but it gets the job done. Only downside is it doesn't make whole disk images, just proprietary images of logical partitions.

    For whole disk imaging, I use FTK Imager Lite and create a raw dd image. It hash-verifies the whole image against the source after the image is made, bit-for-bit. G4L works fine for writing raw images back to a drive just like dd, and comes included on the fantastic Parted Magic bootdisk. It's too bad FTK Imager Lite can't write images, because it does such a fantastic job creating images, and you can be sure that every bit is perfect. It's important also to make sure you don't split the image file into gigabyte chunks; I haven't been able to find a freeware solution for writing back raw images that were split into chunks. FTK Imager Lite can read these split images though, and re-write them into one single giant image file. Just gotta make sure the target is an NTFS drive because of the file size.

    If I'm not mistaken, Clonezilla can manage raw dd images. However, the thoroughness of creating images with FTK Imager Lite and simplicity of writing the images back to disk with G4L wins in my book. If you're multicasting images across a network though, I don't think you can beat Clonezilla for the price.

    Partimage would be nice, but it doesn't make raw dd images, it only deals with the used portions of drives. If I wanted to make a compressed backup, I'd just use DriveImage XML which as noted can create an image both live and from a portable drive.

    Another highlight of using raw dd images is the ability of using FTK Imager Lite to open the images and extract files and whatnot, besides the fact that it's the most standard image format available.

    Just my two cents.

    Claus said...

    @Joe - Awesome comments! I appreciate you taking the time to give that level of detail!

    I did some dd work a few years ago when I was working with Linux LiveCD building before moving to Win PE 2.0.

    I really need to go back and do more work with dd. So many forensics and other imaging applications exist for it, it seems like it is one of the gold-standards for imaging work.

    I don't know near enough about dd as I should. I believe there are some various tools that can be used to mount the image files...can they also be manipulated off line?

    That is one of the benefits of ImageX that I find. Once I capture the wim file, I can then later mount it, as well as add/remove files to the image itself. So if I have an wim image captured, but then am told that a setup installer file on the image has been updated, I can mount the wim (r/w), remove the old one drop in the new version, and write (save/commit) the change into the wim. Saves a bunch of time rather than recapturing a system again.

    I've never tried to capture a running system which intrigues me for a night-job project I am looking at. I don't mind using a proprietary format, so long as it remains supported...

    Neat stuff! I'm going to be hitting the Google on some of the items you shared.

    Thanks!

    Claus V.

    Joe said...

    @Claus

    The only tool I've used to mount a raw image in Windows is called VDK. I haven't used it very much, but it didn't crash on my system. It is a command line app, however there is a GUI out there I haven't tried.

    Honestly though, system drivers made by single developers or very small teams (ex: DVD43, Ext2 IFS for Windows, VDK) I typically try and stay away from because the drivers themselves likely haven't been extensively tested, and it only takes a small bug in a driver to grind an otherwise completely stable computer to a halt with a BSOD. Drivers from hardware manufacturers are far more extensively tested, and still have their problems. I'd never install any of these apps on a production machine.

    I haven't done a lot of work with ImageX, but it seems like the most stable and overall best solution for images on NTFS systems if you're not worried about the 'forensic' end of a perfect copy. I admit, I geek out a bit and usually take the more time-consuming, hash-verified raw image copy. However, I really need to go back to your old posts on ImageX and get well acquainted with it. To the best of my understanding though, if you want to grab the MBR, partition tables, boot loaders etc, you can't use ImageX anyways. Each image solution has it's pros and cons!

    If you've never checked out that FTK Imager Lite app, you'll appreciate that when you open a complete raw image with multiple partitions of different file systems, you can browse through all the file systems inside it's explorer-esque interface. You can also see the raw bits from the MBR, partition table, and unallocated space among other things. Throw this portable app on your USB drive and fire it up on a dual-boot system, then add the hard drives as 'evidence items' to see the same thing this program would see should you make a raw image of those drives. It even uses the IsoBuster driver to crack open CDs and DVDs. Pretty cool.

    Claus said...

    @Joe - Wow! Thanks for the extra information!

    I know I've geeked out from doing too many image building jobs last week when I get excited about some new (to me) imaging avenues to explore!

    I can tell I'm going to be gathering quite a collection of links based on your comments!

    I do like ImageX for working in our Windows exclusive environment; but as you point out, it doesn't handle sector-based copying, nor entire multi-partition copying, or anything related to the partition or boot (MBR) structure. Not that big a deal in our deployment environment but a drawback in many others where storage media imaging is appropriate.

    So many tools, so many applications, so little time!

    ;)

    -Claus V.

    rwr said...

    Claus

    I used a trial version of the full software to move to a larger hard drive. No messing with other tools, installed s/w, created images to an external hdd, created the boot cd, booted from boot cd. The software enabled me to resize the partitions at the beginning of the restore process as well as asking what type of partition you wanted to create. Everything went really well. All done in a morning. Very easy to use. No hesitation in recommending it.

    Grant S. Robertson said...

    Perhaps you have noticed this since you posted this, but Macrium Reflect is a sector-based imaging program. I figured this out when I took an incremental image after defragmenting my hard drive. The incremental image was almost as large as the original. A search in their forum for "defrag" confirmed my suspicions.

    If you know of a file-based disk imaging solution that takes incremental images I would like to hear about it.

    Thanks.