Hi,
We are using "win to go" for MAC data acquisition with my collegue at this time.
However, i'm confusing whether it's appropriate way to use "win to go" for collection because it's not forensic software.
I would like to hear your opinion about using "win to go". D
As in running windows off a USB? Its just an OS, but I don't see it as a forensic tool at all unless you're running something else off of the OS (like FTK Imager, Encase Imager, etc…)
If its the "only possibly option you have", then you must document all steps and directories touched to have any credibility.
However, you would be best suited to boot into a live SIFT, HELIX, etc… or get MacQuisition for forensically sound use (still documenting your steps).
We are using "win to go" for MAC data acquisition with my collegue at this time.
However, i'm confusing whether it's appropriate way to use "win to go" for collection because it's not forensic software.
I would like to hear your opinion about using "win to go".
Test it. Set up a test system, acquire it with the WinToGo, then examine it to see if it affected the image in any way, and if it did, how.
For example, it might be safe to use on a Mac system, as Windows won't recognize or mount the iOS volumes, but it may be a bad idea to use on a Windows system. And … it may not necessarily be possible to say for certain which you have, until it's too late.
Test it. See if you can find someone who is willing to act as 'test critic', i.e. looks for flaws in your test and test methdoology. That kind of 'friendly enemy' is very useful in these situations.
I've not tried WinToGo myself, but … I may give it a try.
As in running windows off a USB? Its just an OS, but I don't see it as a forensic tool at all unless you're running something else off of the OS (like FTK Imager, Encase Imager, etc…)
If its the "only possibly option you have", then you must document all steps and directories touched to have any credibility.
However, you would be best suited to boot into a live SIFT, HELIX, etc… or get MacQuisition for forensically sound use (still documenting your steps).
Thank you for response.
You are right. it's just an OS. So we are using forensic tool for acquisition such as FTK or Encase imager after boot up by using WinToGo with USB port.
Also as you mentioned documentation is good option and action required.
For Mac acquisition, what is the best forensic tool? i've never used SIFT, HELIX and MacQuisition before. Please advise..
We are using "win to go" for MAC data acquisition with my collegue at this time.
However, i'm confusing whether it's appropriate way to use "win to go" for collection because it's not forensic software.
I would like to hear your opinion about using "win to go".Test it. Set up a test system, acquire it with the WinToGo, then examine it to see if it affected the image in any way, and if it did, how.
For example, it might be safe to use on a Mac system, as Windows won't recognize or mount the iOS volumes, but it may be a bad idea to use on a Windows system. And … it may not necessarily be possible to say for certain which you have, until it's too late.
Test it. See if you can find someone who is willing to act as 'test critic', i.e. looks for flaws in your test and test methdoology. That kind of 'friendly enemy' is very useful in these situations.
I've not tried WinToGo myself, but … I may give it a try.
Thank you for your comment.!
I tested before, and the result is that Windows system by WinToGo recognized Mac devices as external devices. If so, there is no problem for integrity of collection in my opinion. Of course comparison of image data between Mac system collection and Windows system collection from iOS is necessary. But i would like to hear someone else's comments about WinToGo boot up for Mac acquisition.
For Mac acquisition, what is the best forensic tool? i've never used SIFT, HELIX and MacQuisition before. Please advise..
Macquisistion https://
www.blackbagtech.com/software-products/macquisition.html SANS SIFT https://
digital-forensics.sans.org/community/downloads Another thought would be to boot the mac into "targeted disk mode" if it supports it. http//
www.macforensicslab.com/index.php?main_page=document_general_info&products_id=80