Forensically sound ...
 
Notifications
Clear all

Forensically sound method about "Win to Go"

6 Posts
3 Users
0 Likes
281 Views
(@jiyoung)
Posts: 5
Active Member
Topic starter
 

Hi,

We are using "win to go" for MAC data acquisition with my collegue at this time.
However, i'm confusing whether it's appropriate way to use "win to go" for collection because it's not forensic software.
I would like to hear your opinion about using "win to go". D

 
Posted : 06/10/2016 5:34 am
jpickens
(@jpickens)
Posts: 130
Estimable Member
 

As in running windows off a USB? Its just an OS, but I don't see it as a forensic tool at all unless you're running something else off of the OS (like FTK Imager, Encase Imager, etc…)

If its the "only possibly option you have", then you must document all steps and directories touched to have any credibility.

However, you would be best suited to boot into a live SIFT, HELIX, etc… or get MacQuisition for forensically sound use (still documenting your steps).

 
Posted : 06/10/2016 6:12 pm
(@athulin)
Posts: 1156
Noble Member
 

We are using "win to go" for MAC data acquisition with my collegue at this time.
However, i'm confusing whether it's appropriate way to use "win to go" for collection because it's not forensic software.
I would like to hear your opinion about using "win to go".

Test it. Set up a test system, acquire it with the WinToGo, then examine it to see if it affected the image in any way, and if it did, how.

For example, it might be safe to use on a Mac system, as Windows won't recognize or mount the iOS volumes, but it may be a bad idea to use on a Windows system. And … it may not necessarily be possible to say for certain which you have, until it's too late.

Test it. See if you can find someone who is willing to act as 'test critic', i.e. looks for flaws in your test and test methdoology. That kind of 'friendly enemy' is very useful in these situations.

I've not tried WinToGo myself, but … I may give it a try.

 
Posted : 06/10/2016 9:47 pm
(@jiyoung)
Posts: 5
Active Member
Topic starter
 

As in running windows off a USB? Its just an OS, but I don't see it as a forensic tool at all unless you're running something else off of the OS (like FTK Imager, Encase Imager, etc…)

If its the "only possibly option you have", then you must document all steps and directories touched to have any credibility.

However, you would be best suited to boot into a live SIFT, HELIX, etc… or get MacQuisition for forensically sound use (still documenting your steps).

Thank you for response.
You are right. it's just an OS. So we are using forensic tool for acquisition such as FTK or Encase imager after boot up by using WinToGo with USB port.
Also as you mentioned documentation is good option and action required.
For Mac acquisition, what is the best forensic tool? i've never used SIFT, HELIX and MacQuisition before. Please advise..

 
Posted : 12/10/2016 5:24 am
(@jiyoung)
Posts: 5
Active Member
Topic starter
 

We are using "win to go" for MAC data acquisition with my collegue at this time.
However, i'm confusing whether it's appropriate way to use "win to go" for collection because it's not forensic software.
I would like to hear your opinion about using "win to go".

Test it. Set up a test system, acquire it with the WinToGo, then examine it to see if it affected the image in any way, and if it did, how.

For example, it might be safe to use on a Mac system, as Windows won't recognize or mount the iOS volumes, but it may be a bad idea to use on a Windows system. And … it may not necessarily be possible to say for certain which you have, until it's too late.

Test it. See if you can find someone who is willing to act as 'test critic', i.e. looks for flaws in your test and test methdoology. That kind of 'friendly enemy' is very useful in these situations.

I've not tried WinToGo myself, but … I may give it a try.

Thank you for your comment.!

I tested before, and the result is that Windows system by WinToGo recognized Mac devices as external devices. If so, there is no problem for integrity of collection in my opinion. Of course comparison of image data between Mac system collection and Windows system collection from iOS is necessary. But i would like to hear someone else's comments about WinToGo boot up for Mac acquisition.

 
Posted : 12/10/2016 7:17 am
jpickens
(@jpickens)
Posts: 130
Estimable Member
 

For Mac acquisition, what is the best forensic tool? i've never used SIFT, HELIX and MacQuisition before. Please advise..

Macquisistion https://www.blackbagtech.com/software-products/macquisition.html

SANS SIFT https://digital-forensics.sans.org/community/downloads

Another thought would be to boot the mac into "targeted disk mode" if it supports it. http//www.macforensicslab.com/index.php?main_page=document_general_info&products_id=80

 
Posted : 12/10/2016 6:16 pm
Share: