±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35997
New Yesterday: 0 Visitors: 210

±Latest Articles

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Videos

±Latest Jobs

Windows Forensic Environment

The (Nearly) Perfect Forensic Boot CD - Windows Forensic Environment



Page: 3/7

DISKPART>List Disks

This command will list all drives connected to the system. You should be able to determine which your evidence drive and your destination drive. No changes are made to any of the attached drives. If you do not see your disks, then enter the command of DISKPART>rescan


Figure 11

DISKPART>Online Disk

If your destination drive is not online already, this will put it online. No changes are made to any of the attached drives.

DISKPART>Select Disk 1

Select your destination disk where you will store the image (which ever disk number it is, choose that number). No changes are made to any of the attached drives. In the above example, Disk 0 is the evidence drive; Disk 1 is the destination drive.


Figure 12

DISKPART>Detail Disk

If you are unsure of the disk selected, this command will give you more information about it. No changes are made to any of the attached drives.


Figure 13

DISKPART>List Volume

This command will list the volume(s) on your selected disk. No changes are made to any of the attached drives. If your destination drive does not have any volumes, you can create a volume by DISKPART>create partition primary


Figure 14

DISKPART>Select Volume 1

Select the volume to where the image will be stored (whichever volume you need, choose that number).


Figure 15

DISKPART>Attribute clear readonly

This will allow your destination disk to be read/write. Do not do this to the evidence disk!

DISKPART>Assign Letter=T

This will assign a drive letter to your destination drive (you can choose any letter for your destination drive).


Figure 16

DISKPART>Exit

This will exit DISKPART, but keep the prompt open. Do not close the prompt!

You are now able to write to your destination drive and your evidence drive is ReadOnly. After you exit from DiskPart, you will be at the command line. Change directories to your forensic tool folder, in this example, WinFE.


Figure 17





Previous Page Previous Page (2/7) - Next Page (4/7) Next Page