Push Button Hard Dr...
 
Notifications
Clear all

Push Button Hard Drive Image

5 Posts
4 Users
0 Likes
562 Views
(@n00bcfe)
Posts: 26
Eminent Member
Topic starter
 

Hello all-

I haven't really seen a huge need for this until recently. Clients are looking for a more cost effective approaches for those one-off hard drive images, and they are looking for self imaging kits that can be shipped to a custodian (or their IT) for them to perform the image. We all know there will always be additional risks with this approach, but the clients are often fine with those risks (given the cost savings) in certain cases.

My question is

What software or solutions exist for such an approach? Obviously, tools like FTK Imager work fine, but it is still too many steps for a custodian to go through to kick off an image.

Something like Dumpit(one click memory capture) for hard drives would be ideal, but I am unaware of such a solution.

Any other reliable command line Windows tools that could be scripted to where you run the exe and it automatically captures the internal HDD?

Know of any good solutions for these types of approaches?

I appreciate the info.

 
Posted : 10/05/2017 9:13 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Know of any good solutions for these types of approaches?

I appreciate the info.

Just my 2 cent…
Ofline Imaging OSFClone from OSForensics
http//osforensics.com/tools/create-disk-images.html
…but up to now i never tested it in combination with Bitlocker or any other FDE.

Online BriMor Labs Live Response Collection
https://www.brimorlabs.com/tools/

Both tools are free. I never purchased a hardware-based "one click imager"and can not recommend one from my own experiences.

best regards,
Robin

 
Posted : 11/05/2017 1:01 am
jpickens
(@jpickens)
Posts: 130
Estimable Member
 

Software or Hardware?

Shipping a HardCopy II or TD2 to an IT team is pretty easy and affordable since it can do full imaging of the drive.

If you don't have a network-based solution to capture data remotely (F-Response, EnCase, etc..) then I've also had success with building USB-based tools that have the imaging tool on it with a PDF of instructions. Has its limits, but still effective.

 
Posted : 12/05/2017 6:09 pm
(@n00bcfe)
Posts: 26
Eminent Member
Topic starter
 

Not looking for hardware solutions, as the goal is to hand this to a custodian in most cases to kick off with a simple set of instructions. Def don't want them pulling out drives.

Unfortunately, I don't want custodians having to choose between physical devices and partitions.

I wish someone would develop a one click solution that when run it is designed to identify the internal HDD(s) and image to external drive. Custodian just needs to enter name or have it to where it can be pre-configured with an ini/config with custodian details.

Are there any good Windows-based command line full disk imaging tools (that cold be used for live collection)? I might be able to work with that and build something out.

 
Posted : 13/05/2017 12:52 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

The "issue" is about "live imaging" (from the running OS).
There are tens of possible solutions for "offline imaging" either based on a PE of some kind or on a bootable Linux mini-distro, otherwise more or less *any* solution based on VSS Microsoft technology (provided that the idea is to image Windows systems) might work, but you will encounter (if running from the "installed OS") a number of issues anyway with Administrator/non-Administrator accounts, UAC, elevations Policies and what not.

jaclaz

 
Posted : 13/05/2017 1:03 am
Share: