±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 36489
New Yesterday: 5 Visitors: 164

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

imaging using encase, FTK and X-ways

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

afsfr
Member
 

imaging using encase, FTK and X-ways

Post Posted: Dec 11, 19 01:08

I have used FTK before, now use encase and X-ways

for encase and X-ways, can it do live imaging of Linux memory ?

for portable encase imaging offsite, I find it can only do logic acquire (lx01 file), so how to capture live physical image (img file) using encase and X-ways?

do we have malware analysis tool to show malicious dll and api call in encase and x-ways?

in ftk, how to capture android image using ftk imager, there is no menu item? thanks  
 
  

Bunnysniper
Senior Member
 

Re: imaging using encase, FTK and X-ways

Post Posted: Dec 11, 19 15:00

- afsfr
I have used FTK before, now use encase and X-ways


Based on your questions I have seen above, I strongly suggest that you start reading the manual for these products. And take a training. If you then have specific questions after your lecture and the training, you might get a helpful answer.
_________________
--
All opinions are mine and are not necessarily the opinions of my employer. 
 
  

jaclaz
Senior Member
 

Re: imaging using encase, FTK and X-ways

Post Posted: Dec 12, 19 11:05

- Bunnysniper

Based on your questions I have seen above, I strongly suggest that you start reading the manual for these products. And take a training. If you then have specific questions after your lecture and the training, you might get a helpful answer.


Probably when dealing with 15000 breach tickets per month:
www.forensicfocus.com/...c/t=18217/
there is not enough time left for study or training.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

hommy0
Senior Member
 

Re: imaging using encase, FTK and X-ways

Post Posted: Dec 12, 19 11:19

EnCase has a few methods to acquire an evidence file of a live system:

1) EnCase Portable can be configured to acquire a physical device into an EX01 or an E01

2) In “Program Files\EnCase8” there is a command line tool cool WinAcq. This can also be used to acquire an E01 of a live system

3) Using the EnCase Agent, create and deploy onto the target system. You will then be able to preview and acquire over the network. There are agents for Windows, Linux and macOS (including Catalina)

Regards  
 
  

Belkasoft
Senior Member
 

Re: imaging using encase, FTK and X-ways

Post Posted: Dec 12, 19 15:31

- afsfr

in ftk, how to capture android image using ftk imager, there is no menu item? thanks


For Android imaging (as well as iOS and also computer devices) you can use a free Belkasoft Acquisition Tool. You can also consider commercial Belkasoft Evidence Center for some of tasks you described.
_________________
Computer, Mobile, RAM and Cloud Forensics In a Single Tool
belkasoft.com 
 
  

afsfr
Member
 

Re: imaging using encase, FTK and X-ways

Post Posted: Dec 13, 19 07:45

- hommy0
EnCase has a few methods to acquire an evidence file of a live system:

1) EnCase Portable can be configured to acquire a physical device into an EX01 or an E01

2) In “Program Files\EnCase8” there is a command line tool cool WinAcq. This can also be used to acquire an E01 of a live system

3) Using the EnCase Agent, create and deploy onto the target system. You will then be able to preview and acquire over the network. There are agents for Windows, Linux and macOS (including Catalina)

Regards


Thank you for your suggestion, for live acquire for Linux image, I think we need to use dd image, currently my forensic workstation is windows10, portable is created from there, if I bring my laptop running windows8, portable encase, tableau write block and go to the data center, acquire a red hat Linux V7 image in dd format, is it ok? or I should use Encase or Helix bootable Linux cd with LinEn and acquire in img format?

also if I get the Linux image and import to my windows forensic workstation, which is NTFS partition, would it be able to View linux Ext partition? I need to analyze Linux process info, Linux mac timestamp as well as malicious rootkit in ELF format, strace of ELF file, would it be possible, is there any enscript I can use to parse Linux image in windows version of Encase?  
 
  

hommy0
Senior Member
 

Re: imaging using encase, FTK and X-ways

Post Posted: Dec 13, 19 10:57

There is only a Windows version of EnCase.
It is has the ability and functionality to parse multiple file systems (other than NTFS, FAT, ExFAT) including EXT2,3, and 4
If you have taken a DD image you will need to add this as a RAW image.

Regards  
 

Page 1 of 2
Page 1, 2  Next