Sorry writing fast.
I have a windows 7 laptop to image but would like to use a bootable cd/usb; anyone know of a iso that has ftkimage on it?
Sorry writing fast.
I have a windows 7 laptop to image but would like to use a bootable cd/usb; anyone know of a iso that has ftkimage on it?
Yes.
http//homepage.ntlworld.com./jonathan.deboynepollard/FGA/questions-with-yes-or-no-answers.html
Point is that such pre-built images cannot normally be redistributed.
But you can build yourself a mini WinFE in next to no time
http//
http//
jaclaz
Do you particularly need FTK Imager? There are plenty of bootable linux distros with imaging tools that can create EO1's (EWF Format), DD's etc.
Personal choice would be CAINE.
Do you particularly need FTK Imager? There are plenty of bootable linux distros with imaging tools that can create EO1's (EWF Format), DD's etc.
Personal choice would be CAINE.
Yea ran Kali with DD command, just prefer for the future to have a prebuild disck ready. Also like ftk imager a bit better than running DD commands.
Just in case you aren't aware, modern distro's like CAINE 4 will boot to a GUI, and the included imaging tool guymager has a GUI too, so the usage/output should be little different to FTKI on 'doze (no need for DD commands - eg http//guymager.sourceforge.net ).
Paladin from Samuri is quite good as well. I use that on from time to time and have had no issues (apart from it being quite slow).
You can build a WinFE in about 20 minutes. FTK Imager easily added. http//
Also note that mostly all Ubuntu-based forensic Live CDs clean NTFS journal on HDD during the boot. This can be unacceptable for you.
thefuf When DEFT (a forensic Linux distribution) is booting up, it does not mount the hard drive contained within the computer itself, or any other media for that matter by default.
In DEFT, after DEFT has booted up, one has to first manually attach an external hard drive ("Target") to write the forensic image files to. The Target drive has to be manually designated as read/write so that the forensic image files can then be written to it.
If one is imaging a hard drive contained within the laptop ("Source") running DEFT, Guymager will see the internal hard drive in its unmounted state and allow one to create a forensic copy of the Source using Guymager.
So, how is the "NTFS journal on the HDD" being cleaned during the boot up process of the Linux forensic distribution?
Can you kindly provide some screen shots or hex views of the changes you are seeing to the "NTFS journal" of the Source drive?
Can you kindly provide some screen shots or hex views of the changes you are seeing to the "NTFS journal" of the Source drive?
1. Boot Windows system installed on NTFS.
2. Power cut.
3. Boot DEFT Linux.
4. Examine "/var/log/capser.log".
You can also compare hash values for NTFS partition.
PS. If anyone has questions about this issue, I can provide small virtual machine (in OVA format for VirtualBox) to reproduce the NTFS journal wipe quickly.