±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36604
New Yesterday: 3 Visitors: 152

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Imaging software

Discussion of computer forensics employment and career issues.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3, 4, 5  Next 
  

debaser_
Senior Member
 

Imaging software

Post Posted: Nov 17, 05 23:05

Besides dd, which other means of acquisition would be best to become familiar with? I would like to start building my resume aiming to gain an entry level job. Since making forensically sound images is very important, I want to take a very good look at all of the options available to me. This question is aimed at imaging a dead system.

Does anyone use ghost to make images? Are there any other windows apps used for acquisition?

Is helix the best for imaging memory contents of a live system?

Sorry if my post isnt the most cohesive. Just looking for some feedback in the middle of studying.

Thanks  
 
  

arashiryu
Senior Member
 

Re: Imaging software

Post Posted: Nov 18, 05 00:02

There are various ways to acquire a forensically sound image.

*Windows app: Attach the suspect drive to a write blocker (IDE, SATA, SCSI etc.) and mount it via usb/firewire on your acquisition workstation. You can then use FTK imager installed on your acquisition workstation to obtain an forensic image (dd, Safeback, Encase) of the mounted suspect drive.

*DOS app: Ghost can be used but I would recommend against it unless you have no other choice left. There is a switch in Ghost that you can specify to get a sector by sector copy. I assume you have a bootable floppy disk. Make sure the Ghost command in autoexec.bat has the switch included for sector by sector copy.

*Windows App: WinHex is another option.

*DOS app: I have used X-Ways Replica from the makers of WinHex. Works well. I prefer this over Ghost boot disk.

*Paraben's Forensic Replicator is good as well.

*EnCase.

*Prodiscover.

It varies case by case and depends upon the the situation. I have used all
of the above.
There are other products but the ones I mention are most widely used.

The method I prefer for dead (turned off) systems is Write Blocker and FTK imager combination.

IMHO Prodiscover is the best product to acquire a live system.  
 
  

debaser_
Senior Member
 

Re: Imaging software

Post Posted: Nov 18, 05 02:23

Thanks for the quick reply. Although dd works fine, I figured it would be best to also look at a few other commonly used alternatives. I am going to check out a few that you mentioned.  
 
  

nickfx
Senior Member
 

Re: Imaging software

Post Posted: Nov 18, 05 21:09

Can I also suggest you take a look at the free windows tool FTK Imager. You can download from www.accessdata.com/ftkuser.

It's a really useful tool, easy to use and can convert between formats. You can also take a look at the drive pre-aquisition.

Cheers

Nick  
 
  

debaser_
Senior Member
 

Re: Imaging software

Post Posted: Nov 18, 05 22:03

FTK Imager was one that I looked at first. I used it to make an image of a flash drive. Seemed to be cake.

Im going to play around the the FTK demo a bit as well.  
 
  

farmerdude
Senior Member
 

Re: Imaging software

Post Posted: Jan 13, 06 11:22

Whichever tool(s) you use to acquire and/or clone drives, make certain you write your image files in a raw format (such as that of 'dd'). A raw image file can be interpreted and accessed by every program, now and conceivably always in the future. A proprietary image file format cannot be read by every program and may not always be read in the future by the same software (backward compatibility is not a guarantee, a popular Win32 forensic program is guilty of this). You gain maximum advantage using a raw format.

Check out SMART for Linux - you can acquire and clone simultaneously. It's very slick. Additionally, error handling ensures you don't "throw the baby out with the bath water".

regards,

farmerdude  
 
  

mbinmd
Newbie
 

Re: Imaging software

Post Posted: Feb 07, 06 08:10

I can't agree more with farmerdude. I supervised a section at a very large government lab where we imaged many many terabytes last year and our first choice is always a dd image using dcfldd. This tool generates an MD5 while you image and the newest version available on sourceforge can do several other hash algorithms. The sheer portability of the raw image is invaluable because all the big forensic software tools all have their advantages/disadvantages so I may use multiple tools on one exam.  
 

Page 1 of 5
Page 1, 2, 3, 4, 5  Next