±Forensic Focus Partners
|New Today: 0||Overall: 36632|
|New Yesterday: 3||Visitors: 160|
Windows Forensic EnvironmentBack to top Back to main Skip to menu
The (Nearly) Perfect Forensic Boot CD - Windows Forensic Environment
This command will list all drives connected to the system. You should be able to determine which your evidence drive and your destination drive. No changes are made to any of the attached drives. If you do not see your disks, then enter the command of DISKPART>rescan
If your destination drive is not online already, this will put it online. No changes are made to any of the attached drives.
DISKPART>Select Disk 1
Select your destination disk where you will store the image (which ever disk number it is, choose that number). No changes are made to any of the attached drives. In the above example, Disk 0 is the evidence drive; Disk 1 is the destination drive.
If you are unsure of the disk selected, this command will give you more information about it. No changes are made to any of the attached drives.
This command will list the volume(s) on your selected disk. No changes are made to any of the attached drives. If your destination drive does not have any volumes, you can create a volume by DISKPART>create partition primary
DISKPART>Select Volume 1
Select the volume to where the image will be stored (whichever volume you need, choose that number).
DISKPART>Attribute clear readonly
This will allow your destination disk to be read/write. Do not do this to the evidence disk!
This will assign a drive letter to your destination drive (you can choose any letter for your destination drive).
This will exit DISKPART, but keep the prompt open. Do not close the prompt!
You are now able to write to your destination drive and your evidence drive is ReadOnly. After you exit from DiskPart, you will be at the command line. Change directories to your forensic tool folder, in this example, WinFE.