Rust for Forensics (also: accessing bytes on a raw disk?)

Hi all! Many thanks for letting me join this channel.

I’m a forensics major trying to learn rust. Since I hear it’s the best language out there for systems level programming. I am new to this field, trying to become better.

My task is to make a small “forensic copy” tool. The tool is supposed to read raw bits/bytes from a device and then make a bit by bit copy of everything that is in there.

And then at the end create an image file of that device.

This tool is essentially just a copy of dd or dc3dd.

What library is available to access those raw bytes from a drive or is there some other way to do achieve above task?

Other than this I would also like to know everyone’s opinion on Rust being a suitable programming language for forensics & security related work.

Thanks ^.^

Hi and welcome! a dd-like tool sounds like a wonderful learning program!
I’ve taken the liberty of clarifying your topic title, in the hopes of getting you more eyeballs. (Feel free to change it back if you dislike my interpretation!)


I am not aware of any low-level disk-access libraries for the rust ecosystem, but I admit that I haven’t searched for them either. The Go-To resource for crates is always the official crates.io repository. You may also like the community experimental crates.rs, which tries a lot of different ways to analyse cargo metadata and thereby improve searching and sorting.


If you only need to work on linux, you can benefit from the Unix/Linux “everything is a file” paradigm: You can then File::open() the /dev/hdX node, and do bit-copies from it, exactly as if it was a normal file.
You’ll probably want to to throw in a BufReader with a few megabytes of buffer; otherwise you’ll be doing a separate syscall for every single byte.
(Rust favours explicitness, so contrary to most other languages, there is no buffering by default; Rust also favours composability, so this buffering implementation is usable for any Read implementation)


Edit 1: If you want to go above-and-beyond with the assignment, maybe have a look at compressing your output image; there are some excellent compression libraries, that already have good Rust bindings: https://crates.rs/compression
Adding them is usually fairly simple: just compose their Write implementation on top of your output file, exactly like we did for the BufReader, and compression is transparently added :smile:
Caveat: naive compression of uncompressible data (such as encrypted disks, or video/image files) will hurt your performance. Offloading the compression to another thread is probably worthwhile (pass your input data to the compression thread via a std::sync::mpsc::channel, or use the faster-and-more-featureful crossbeam channels)


Edit 2: There are a lot of good libraries for command line argument parsing; clap is most famous, and provides the basis for, among others, the (more ergonomic) StructOpt. You may be more familiar with GetOpts style, and DocOpt is another great strategy that tries a different approach from clap.


Edit 3: I only just now noticed your “general” question, “hidden” under the specific help request.
It’s completely OK to open a second topic for that; that helps both discussions focussed, instead of mixing library suggestions with waxing expositions about the general features of Rust :angel:

4 Likes

Hey!

I think the changes you made to the title is awesome and therefore, I’ll prefer keeping this update :slight_smile:

Thank you for this descriptive response. It’s super helpful. I will start working on it, the road ahead feels a little more clear now. Well, since your response basically answered everything I had in mind. I don’t seem to have any confusion any more or any other comments, except my deepest gratitude. So, thanks again for taking out your time for providing all this info. As for the recommendation, I’ll keep that in mind and be more careful in future.

Regards,
Gaurav

1 Like