Bootable Imaging di...
 
Notifications
Clear all

Bootable Imaging distros

49 Posts
10 Users
0 Likes
63.2 K Views
(@deltron)
Posts: 125
Estimable Member
Topic starter
 

Sorry writing fast.
I have a windows 7 laptop to image but would like to use a bootable cd/usb; anyone know of a iso that has ftkimage on it?

 
Posted : 14/08/2014 12:15 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Sorry writing fast.
I have a windows 7 laptop to image but would like to use a bootable cd/usb; anyone know of a iso that has ftkimage on it?

Yes.
http//homepage.ntlworld.com./jonathan.deboynepollard/FGA/questions-with-yes-or-no-answers.html

Point is that such pre-built images cannot normally be redistributed.

But you can build yourself a mini WinFE in next to no time
http//reboot.pro/topic/19036-mini-winfe/
http//mistype.reboot.pro/mini-winfe.docs/readme.html

jaclaz

 
Posted : 14/08/2014 1:41 pm
(@rich2005)
Posts: 535
Honorable Member
 

Do you particularly need FTK Imager? There are plenty of bootable linux distros with imaging tools that can create EO1's (EWF Format), DD's etc.
Personal choice would be CAINE.

 
Posted : 14/08/2014 5:23 pm
(@deltron)
Posts: 125
Estimable Member
Topic starter
 

Do you particularly need FTK Imager? There are plenty of bootable linux distros with imaging tools that can create EO1's (EWF Format), DD's etc.
Personal choice would be CAINE.

Yea ran Kali with DD command, just prefer for the future to have a prebuild disck ready. Also like ftk imager a bit better than running DD commands.

 
Posted : 15/08/2014 6:47 pm
(@rich2005)
Posts: 535
Honorable Member
 

Just in case you aren't aware, modern distro's like CAINE 4 will boot to a GUI, and the included imaging tool guymager has a GUI too, so the usage/output should be little different to FTKI on 'doze (no need for DD commands - eg http//guymager.sourceforge.net ).

 
Posted : 19/08/2014 6:04 pm
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

Paladin from Samuri is quite good as well. I use that on from time to time and have had no issues (apart from it being quite slow).

 
Posted : 20/08/2014 10:43 am
bshavers
(@bshavers)
Posts: 210
Estimable Member
 

You can build a WinFE in about 20 minutes. FTK Imager easily added. http//courses.dfironlinetraining.com/windows-forensic-environment tells you everything you need to know about WinFE.

 
Posted : 18/09/2014 10:14 am
(@thefuf)
Posts: 262
Reputable Member
 

Also note that mostly all Ubuntu-based forensic Live CDs clean NTFS journal on HDD during the boot. This can be unacceptable for you.

 
Posted : 18/09/2014 3:20 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

thefuf When DEFT (a forensic Linux distribution) is booting up, it does not mount the hard drive contained within the computer itself, or any other media for that matter by default.

In DEFT, after DEFT has booted up, one has to first manually attach an external hard drive ("Target") to write the forensic image files to. The Target drive has to be manually designated as read/write so that the forensic image files can then be written to it.

If one is imaging a hard drive contained within the laptop ("Source") running DEFT, Guymager will see the internal hard drive in its unmounted state and allow one to create a forensic copy of the Source using Guymager.

So, how is the "NTFS journal on the HDD" being cleaned during the boot up process of the Linux forensic distribution?

Can you kindly provide some screen shots or hex views of the changes you are seeing to the "NTFS journal" of the Source drive?

 
Posted : 18/09/2014 9:06 pm
(@thefuf)
Posts: 262
Reputable Member
 

Can you kindly provide some screen shots or hex views of the changes you are seeing to the "NTFS journal" of the Source drive?

Sure. You can reproduce it by yourself
1. Boot Windows system installed on NTFS.
2. Power cut.
3. Boot DEFT Linux.
4. Examine "/var/log/capser.log".

You can also compare hash values for NTFS partition.

PS. If anyone has questions about this issue, I can provide small virtual machine (in OVA format for VirtualBox) to reproduce the NTFS journal wipe quickly.

 
Posted : 18/09/2014 9:16 pm
Page 1 / 5
Share: