±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36775
New Yesterday: 0 Visitors: 135

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Imaging a drive using Windows

Discussion of legislation relating to computer forensics.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3  Next 
  

keydet89
Senior Member
 

Re: Imaging a drive using Windows

Post Posted: Jul 05, 08 15:33

> ...you are teaching students on software that is by far the most widely used windows forensic application out there.

IMHO, teaching EnCase for that reason is a mistake. Forensic analysis should be about using the right tool, not just about using EnCase. Yes, EnCase is the most popular...but it's that way for the same reasons that Gate's MS-DOS became the most popular OS at the time, over Kilhdall's CP/M.

Forensic examiners and students alike should know how things like file signatures work first, *then* should they decide to use that technique (or any other) learn how to do so in a particular application.  
 
  

Jonathan
Senior Member
 

Re: Imaging a drive using Windows

Post Posted: Jul 05, 08 16:04

FTK Imager. Very good app and it's free.
_________________
Forensic Control
twitter.com/ForensicControl
St Bride Foundation, 14 Bride Lane, London, EC4Y 8EQ 
 
  

packman
Newbie
 

Re: Imaging a drive using Windows

Post Posted: Jul 15, 08 06:37

I am surprised that no one mentioned Helix. Free and with the gui you do not have to know any Linux.  
 
  

jeffcaplan
Senior Member
 

Re: Imaging a drive using Windows

Post Posted: Jul 15, 08 11:38

- keydet89
- Chitapett
> ...you are teaching students on software that is by far the most widely used windows forensic application out there.


IMHO, teaching EnCase for that reason is a mistake. Forensic analysis should be about using the right tool, not just about using EnCase. Yes, EnCase is the most popular...but it's that way for the same reasons that Gate's MS-DOS became the most popular OS at the time, over Kilhdall's CP/M.

Forensic examiners and students alike should know how things like file signatures work first, *then* should they decide to use that technique (or any other) learn how to do so in a particular application.


While I agree with you that knowledge of the process itself is the most important thing if one is required to profer expert witness testimony, who is to say that the process cannot be taught along with the tool most suited for the job? And I do believe that EnCase is the one most suited tool for the job of providing digital forensic analysis (if I had to pick just one). I don't consider myself a GSI fanboi, but when it comes to digital forensics, EnCase is the defacto standard (for a reason), and the fact that it's the standard does make it important to teach when you consider the context of why that's important to the field.

Everything about digital forensics is done so that information obtained can be offered as evidence in court. Without that point in mind, all of this could be described as glorified data recovery. The fact that there are legal standards for what is admissible in court and the fact that EnCase has been challeneged and accepted more than any other digital forensics tool makes it a perfect reason to teach to newcomer's to the field.

To quote from EnCase's legal journal:
The final prong — whether a process enjoys “general acceptance” within the
“relevant scientific community” — is a particularly important factor strongly considered
by the courts in validating scientific tools and processes. “`[A] known technique that has
been able to attract only minimal support within the community,' ... may properly be
viewed with skepticism."66 EnCase software is without question the most widely used
computer forensic process in the field. Thousands of law enforcement agencies and
companies worldwide employ EnCase software for their computer investigations. In
addition, EnCase software has over twenty thousand users, and Guidance Software
trains over four thousand students annually in the use of EnCase software. The
widespread general acceptance of a process is often considered to be the most
important prong in a Daubert/Frye analysis. In addition, even outside the litigation
context, there are practical considerations: if it should become necessary to replace an
expert, his or her use of standard software will make the transition to a replacement
expert much easier.


Knowing what a file signature is and it's releavance to forensics and why it's an important topic to know and how to make use of that knowledge are all things which can easily be taught using EnCase...all you really need is a hex viewer, the ability to highlight things and a good teacher.


Having said all that, I think the OP's best bet is to use FTK Imager. It's Windows-based, it's free, it can create images in multiple formats, it provides a hash value of the acquired image and it has the ability to read images; this should all meet his criteria. Using EnCase w/o a dongle just to create an image is pretty anti-climatic.



Jeff
_________________
CISSP, EnCE, CCE, Security+, MCP, etc. etc.

"Show me a person's computer and I'll show you their soul." 
 
  

jeffcaplan
Senior Member
 

Re: Imaging a drive using Windows

Post Posted: Jul 15, 08 11:48

One additional note to the OP which he should be aware of (I hope) - If you're using Windows as opposed to Linux to image a drive, you will need to use a hardare write-blocker (in keeping with the true spirirt of forensics...), as Windows does not have the same software write-block capabilities of Linux, with the exception of the reghack for external USB devices. So making for the exception of not having a hardware write-block device handy for the IDE drives, you could hook up the internal IDE drives to an external USB enclosure and make use of the reghack to ensure that the device and thus the drive are protected from any modification.

Otherwise, you'll need to use a bootdisk to image in Linux or DOS.


Jeff
_________________
CISSP, EnCE, CCE, Security+, MCP, etc. etc.

"Show me a person's computer and I'll show you their soul." 


Last edited by jeffcaplan on Jul 15, 08 22:32; edited 1 time in total
 
  

azrael
Senior Member
 

Re: Imaging a drive using Windows

Post Posted: Jul 15, 08 19:30

Have a look at : www.hackerhighschool.org/

There are lessons on both Linux and Forensics - both are light in content ( for example - there is no discussion of imaging ! )- as they aren't designed to teach practitioners, rather to slightly educate the yoof of today, in 30 mins in a classroom - but may be a good place to start - as they are also targeted at approximately the correct age group for what you are looking to do ...
_________________
--
Azrael
-- 
 
  

bshavers
Senior Member
 

Re: Imaging a drive using Windows

Post Posted: Jul 16, 08 02:51

There aren't any exciting imaging tools. Every GUI is point and click ("select source", "select destination" and "image it"). Not much more than that. For high school kids, you probably have an easier time showing Wargames than imaging.

But at least the point of 'do no harm' to the original evidence being one the considerations and methods to do that would be good. For demonstration purposes and time considerations, you could always have the kids image a floppy or CD, or even image a small USB drive, all directly to your host machine in a few minutes. Same concept really, but better than watching the paint dry as a hard drive is imaging.  
 

Page 2 of 3
Page Previous  1, 2, 3  Next