Sorry if these questions sound like they are coming from a simpleton…it's really not that far from the truth 😉
Can anyone recommend a tried and tested method (hardware / software / bespoke products) of aquiring forensic images for analysis in Encase V4 that will allow the following
Fast, reliable copying of hard disks - mainly IDE
2 copies to be performed simultaneously
Also, what are the known implications of taking a full forensic bit-stream copy of a disk as opposed to an image.
Any help or advice would be appreciated
Can anyone recommend a tried and tested method (hardware / software / bespoke products) of aquiring forensic images for analysis in Encase V4 that will allow the following
Fast, reliable copying of hard disks - mainly IDE
Sure. Linux or Windows, + dd/
2 copies to be performed simultaneously
To be honest, I haven't run across this one, or the need, so I'll be interested to see…
Also, what are the known implications of taking a full forensic bit-stream copy of a disk as opposed to an image.
An image *IS* a "full forensic bitstream copy of a disk".
Hope that helps.
H. Carvey
"Windows Forensics and Incident Recovery"
http//
http//windowsir.blogspot.com
2 copies to be performed simultaneously…..
FTK imager (which is free to download and use), can perform this function. It can also image to EnCase .E01, Linux DD, and SMART files all at the same time.
Andy
Many thanks for these suggestions, they are most helpful. I will evaluate these suggestions and keep you updated on my progress (if of course you're interested!!). If anyone else has any suggestions, please do let me know. Thanks once again.
For fast imaging of IDE HD you can use hardware tool "Forensic MD5" the image file thus created supports most of analysis tool such as EnCasev4, FTK etc..
Thanks again to all those wonderful people who have contributed to this thread.
Am swaying towards using either a Linux based solution or one of the hardware imagers - such as the Forensic MD5.
Does anyone know if you can implement lossless compression with DD images???
Also, is it true to say that hardware solutions such as the Forensic MD5 and the Logicube Talon are far quicker than using a PC (running either Windows or Linux) to image hard disks?
Does anyone know if you can implement lossless compression with DD images???
Sure, gzip etc.
Jamie
I know that hardware based solutions are the way to go.
The Logicube MD5 works at speeds greater that 3 GB/min for 7200 rpm drives ( I have tested it) and I read that the Talon works at speeds of 4 GB/min.
So you are looking at imaging a 40 Gig drive in under 20 min (including setup etc.)
Compare that with an Encase or FTK imager acquisition and you will find yourself saving serious amounts of time.
I know that the Logicueb MD5 allows you to create DD images and these can be accessed by both Encase and FTK.
I had read about a product somewhere which produced two images at the same time - let me see if I can find it for you.
Cheers
Samir Datt
Take a look at the SMART forensic toolkit at http//
Re the hardware copiers, they can be quick under the 'write' conditions (excuse the pun) but suppliers have been frank with me about reliability and variety of performance.
Nick
Hardware Solution for imaging to 2 drives simultaneously is the Talon Raid attachment for the Logicube Talon.
The hardware bitstreaming solutions are good for cases without bad sectors.
In situations with bad sectors - things become tricky - especially when the disk is failing and stops working every few minutes due to heat generation. For this kind of a situation you need reverse cloning software which can start and stop at designated sectors, work in segments and maintain md5 hashes for each segments.
HTH
Samir Datt