Robocopy and FTK Imager

Making copies of electronic files on most computer systems is generally as simple as “drag and drop.” Except, of course, when it is done in support of a legal issue and the integrity of the files may potentially be called into question.

For those instances where there is a need to keep thorough records on the accuracy and reliability of the duplicated data I tend to fall back on two options:

For a forensically sound copy with all the bit-by-bit image fixings: FTK Imager (formerly of AccessData, now Exterro) is cheap and easy to use:

But when it’s just copying files for organization, migration, or for a working copy, good ol’ Robocopy is still my choice. It’s free (I know, “free” is always the adjective that accompanies tools I like), customizable, and already installed on Windows-based machines.

Here I’ll note my go-to robocopy switches for ensuring good record keeping:

robocopy source destination /dcopy:dat /copyall /e /z /zb /r:3 /w:3 /v /mt:32 /tee /log:log_file_name.txt

So what’s with all the switches? Well…

  • /dcopy:dat – ensures that the directories/folders being copied will retain the date, attribute, and time stamps (we all know how important those darn folder timestamps are to opposing counsel).
  • /copyall – copies all files with all the attributes of the original
  • /e – even empty subdirectories will be copied
  • /z and /zb – uses backup and restartable backup copy mode. What does that mean? I’m sure everyone has experienced a need “administrator permission” error when copying some files in Windows. Using /zb allows a re-attempt using backup mode, which is like clicking on the “continue” button that usually follows such an error.
  • /r:3 and /w:3 – retry the copy 3 times, and wait 3 seconds in between retry attemps. Of course the number can be changed as desired.
  • /v – this means “verbose” which is include detail information about the copied files, including listing any files that were skipped. Always a good idea when dealing with copying for a legal context.
  • /mt:32 – use multithread (copy multiple files at the same time). The default /mt uses 8 threads but can be from 1 thru 128.
  • /tee – write copy information to a textlog and also show it on screen at the same time. I like to do this so that I can see what is actually happening with the copy process.
  • /log:log_file_name.txt – will output the copy process and information to a text file. The log_file_name.txt can be anything.

While I wouldn’t rely on robocopy for forensics, the many options it has makes it a great too to run duplicates or move a large amount of files around.

[Most of the switches used in the sample above can be replaced with /mir – but I’m generally disinclined to tell that to new users. The /mir switch mirrors the exact information between source and destination, so if the destination has existing files it could change or delete the information in the source location. That’s what we would generally call a “bad” thing]

Written by Andrew

Recent News

Legal Billing

Many many moons ago, when I first ...

Relativity Fest – Scholarship

Relativity Fest is just around the corner: ...

Information Governance – Simplified

When you first begin to study eDiscovery, ...