Rewritable Hard Disks and Flash Media

There is a risk when plugging USB devices or other writeable storage media into a conventional operating system that the OS will write to the device, meaning a clean dump of the original media cannot subsequently be made. To enable as clean as possible a dump to be preserved - even in the case of used devices it is good to avoid making any further changes. Note that the write-protect switches that some SD cards doesn't actually prevent writes - if it works, it just tells the reader to not write to the card - not all readers will comply with this.

This method uses a forensics-oriented Linux distribution which defaults to blocking all devices in read-only mode to ensure as secure as possible an environment (without using a hardware write blocker) for imaging of writeable storage media.

Important Notes

• Unopened games should have their ROM and save data dumped before attempting to play them. This avoids inadvertent modification of the data and helps preserve any possible rewritable data in its unused/“factory” state. This is especially important for types of cart that store the ROM on rewritable media, or games that come with special save data pre-installed. But it is not necessarily possible to know in advance, hence why its advisable to dump first. Note in your submission whether the physical media was sealed and include a photo of the cart/packaging in its sealed state, if possible.
• You should clean the physical media's electrical contacts before trying to dump it, then dump it, and if it doesn't match something in the database, clean it again and dump it a second time, checking if both dumps match using a file comparison tool or calculating the SHA256 of each file and comparing those values. This helps ensure that dirt on the contacts is not causing interference, and that dirt was fully removed during the cleaning process.
• Especially for rare items, make sure to keep the media and dumping hardware around as long as possible (and keep in contact with any future owner if possible), in case an issue with the dump comes up. At minimum (again, if possible) its good idea to keep it around for a while after its been added to the database.

1. Dumping via network (preferred, system-level read/write does not need to be turned on)

1. Dumping to additional device connected to PC (still likely safe but requires system-level read/write ability to be enabled and at least one additional device set to read/write permissions)

Tools required

• External USB drive of at least 4GB OR a writeable DVD
• https://www.caine-live.net/
• https://rufus.ie/en/ (if making a bootable live USB)

Basically the process is the same as Method 2, but you *do not* enable the system-wide write access, instead you just connect your PC to the network and copy your dump to another device.

Tools required

• External USB drive of at least 4GB OR a writeable DVD
• https://www.caine-live.net/
• https://rufus.ie/en/ (if making a bootable live USB)

Process

• Do not connect the external storage media that you wish to dump until instructed to do so.
• Download CAINE from the link above
• Either burn the ISO to a DVD or create a bootable live USB using Rufus. Insert the burned disc or USB into your system and reboot into CAINE
• Check that the system-level mount policy is set to read-only (disk icon in the taskbar should be green). If this is red, right click it and change to read-only.

• Run UnBlock - this should show you a list of devices that are currently attached to the system.

• At this stage, connect the media you wish to dump and hit refresh in UnBlock. This should show up in UnBlock now with a device-level policy of writable.

• Change this to read-only by ticking the checkbox next to it in the listing and then hit OK)
• From the list of devices, find and make a note of the device name related to the media you wish to dump (for the rest of this guide we'll call this sdX)

• Open “caine's Home” and, from the list of devices at the left, find either an internal or external hard-drive to which you want to save the image. The device labels should be the same as you can see in your normal OS (e.g. Windows, Storage, Elements etc.) (for the rest of this guide we'll call this $HARDDRIVE)

• Go back to unblock and find this hard-drive in the list of devices - hopefully it should be obvious from the relative sizes, otherwise you can find device labels by using the command 'lsblk -o name,label' from the command line)

• Click the checkbox next to the hard-drive and hit OK - this should now show as writable in UnBlock

• Change the system policy to allow mounting devices in writable mode by right clicking the green disk icon in the task bar and selecting “make writable”

• Open “caine's Home” again and find your hard-drive at the left - click to mount this. It will mount at /media/caine/$HARDDRIVE.

• Open the console and dump the USB using the following command 'sudo dd if=/dev/sdX of=/media/caine/$HARDDRIVE/backup.img bs=4M status=progress'

See Gathering and Submitting Dump Info (Basic)