I was wondering if someone might be able to answer a couple of basics questions. I’m trying to get up to speed with forensics and have been doing some research on imaging. The only step by step guide I can find is on using dd on a 3.5” floppy.
I’m more curious about technology in this decade. Do most use a disk duplicator and work off a separate imaged drive or is it more common to use an image through a write blocker and just mount that image when needed? Hard drives are much larger than they used to be - so either way, I see problems.
What is the most common preferred way to image a drive?
If that answer is expensive hardware, what is a good, inexpensive way to practice?
Thanks for any feedback,
Mike
A little about me. I’m new to forensics. I got turned onto it while doing my Master’s degree. I have 22 years’ experience in the IT field. I've lurked here off and on a bit, but this is my first contribution.
What is the most common preferred way to image a drive?
It depends on the situation.
When I've performed drive imaging, if I'm not concerned about shaving minutes off of the acquisition, there really isn't a lot of difference between software- and hardware-based imaging.
Where I've had to image a good number of drives, starting off with a hardware-based approach tends to be a bit faster, and if that didn't work for some reason, we'd move those drives over to a software-based approach.
I have also performed a number of live acquisitions, for a number of different reasons, all of which I documented. I think the best one was a system that was booted from a SAN, over fiber channel.
What is most common is hard to say since there's no scientific polling of the community, but anecdotally, most examiners I know use software to image. Some use a linux boot disk so no need for a physical write blocker, others use hardware writeblockers and windows tools. I use a combination of both the above depending upon circumstances, mostly because it's easier to scale than single purpose hardware solutions.
Don't knock imaging floppy disks with dd. That's how I started. Truth is, if you can understand imagine that way, the rest is easy. Ultimately, it really is the same. Capacities grow, interfaces change, programs become easier, but at the heart of it it really is the same process. And it is the process that is important, not the tool or media.
That said, if you are ready for something new, try FTK Imager and a flash drive. There will be no practical differences between that and imaging a hard drive of whatever size.
Thanks for all the great feedback.
twjolson I'm playing with it (FTK Imager) as I type this. If I wasn't just exploring, wouldn't I need a software or hardware write blocker? I'm on a Win 7 machine.
I'm downloading DSI USB Write Block Utility to give it a try.
keydet That is what I figured too. With all the information out there (and self proclaimed experts) it is easy to get confused and overwhelmed.
Patrick (or anyone for that matter)
What do you think about using a linux boot distro in a virtual machine? I wonder if the host machine might still be able to write to the source.
Mike
If I wasn't just exploring, wouldn't I need a software or hardware write blocker? I'm on a Win 7 machine.
Yes. To prevent writes to the subject media on Windows you need to write block.
What do you think about using a linux boot distro in a virtual machine? I wonder if the host machine might still be able to write to the source.
If the host mounts the drive (and this is not just a Windows function) then you need to write block.
Although those are the easy answers, you should test your environment for yourself and not just rely on "some person on some forum said so" as an answer.
I like to "slave" the target device(s), unless they cannot be powered down for some reason.
I would say that the WinFE is the exact solution for someone having a WIndows 7 and wanting to do a disk image (as a matter of fact it is the reason why it was developed)
http//winfe.wordpress.com/
http//
jaclaz
I prefer to use a shuttle box with external E-Sata ports and an E-Sata write blocker. I then use Encase to create a compressed E01 and work of that.
I rarely do bit for bit copies as I find that I only have to create either a DD or an E01 somewhere down the line so take the hit from the start and create my image.
I personally have found FTK Imager quite a slow piece of software for creating images. I found encase just in Acquisition mode a lot faster.