On the topic of quicker forensic imaging and WinFE, I've made a blog post at the WinFE blog (http//
Microsoft is no longer allowing WinPE (and thus WinFE) to be licensed and distributed.
I queried Microsoft about this mid 2013, this was their response.
"…there has been no change to the decision or the time frame for ending WinPE. This has been discussed at length and the impact to ISVs and end users was taken into account and we still think that ending distribution of WinPE is the right direction for Microsoft to take. I am sorry but Microsoft does not offer any other options."
So unless you have something else in writing from Microsoft I would suggest that both selling and giving away WinPE (and WinFE) for free is now in breach of their license.
Microsoft is no longer allowing WinPE (and thus WinFE) to be licensed and distributed.
…
So unless you have something else in writing from Microsoft I would suggest that both selling and giving away WinPE (and WinFE) for free is now in breach of their license.
The wording here
http//
Windows Preinstallation Environment Windows PE is available via several channels. MSDN subscriptions include the Windows AIK, and Windows PE is one of the tools in that kit. Any product that uses Windows PE from the WAIK must include the WAIK when redistributed. Microsoft no longer offers a WinPE and WAIK redistribution license for Independent Software Vendors or Independent Hardware Vendors. Licensing of WinPE is only available for Original Equipment Manufacturers who license Windows Products. Please send email to [email protected] for general WinPE inquiries.
is very similar to your snippet.
The date it was ended completely should be around January/March 2012
http//
http//
http//
And in any case (AFAIK) it was not-so-easy for an ISV to obtain a re-distribution agreement with MS, as the idea was that it was aimed ONLY at "recovery purposes"
http//
jaclaz
I had a quick look through the patent (which you can read
Very interesting! I can see how it could be powerful. It does make me wonder about the cost though )
So if you plug in 3 USB devices then it can use all three and then put it back together afterwards. This is why it is so fast.
Very interesting! I can see how it could be powerful.
Well, but you would need 3 USB devices (and 3 USB ports) and possibly three USB writeblockers.
The original point - I believe - was if this thingie was much faster than other common imaging tools in a more conventional 11 situation. ?
As an example (not necessarily related) a number of USB sticks/and hard disks providers (we are talking here of USB 2.0 times) like Mushkin, LaCie or Buffalo provided a "special" TurboUSB software that used a different transmission "mode" (or "protocol" or *whatever*) and made data transfer, particularly for large amounts of data, much faster.
The same (or a similar approach) was even integrated in Windows 7 and/or by different motherboard manufacturers
http//
jaclaz
Hello,
It's not just USB you can use, but any data port. I found in my tests that splitting the image over different ports makes the process quicker. I used a USB3 port, an eSATA attached SSD and an express adapter card with USB3 ports on my laptop. Haven't tried firewire yet.
Sticking the image back together is fairly quick too, and is still quicker than actually removing the drive overall.
Mark
Very creative. So it sounds similar to imaging out to a RAID 0, but with multiple types of storage devices.
Ballistic is designed to cut time in all situations, especially field work. The cost of the software (and hardware) is to reflect the investment MCMS have put into the project (it is a 3 year licence and there is a development roadmap for new features). The capability will stand time, data size will continue to rise and where will it stop?
I imaged 3 laptops in under 1 hour yesterday (over 1.5tb), using 1 BALLISTIC Kit.
The system can ustilise, USB, ESata, SD Card, firewire and an express adapter. On the roadmap is thunderbolt.
We are running a workshop (it won't take long -excuse the pun) at our office in West Sussex this month and June tbc, you can see the software running, get a full training course and walk away with a demo. The demo version images and rebuilds 20gb of data. Come along. As with all our projects we welcome customer feedback / innovations.
Interesting comments on here, thank you.
Estimations on 2015 hard disk sizes????
2000 - 2010
Hard disk capacity grew 5x
SLC SSD capacity- grew 71x ….SCARY
Ballistic is designed to cut time in all situations, especially field work.
Sure ) .
Interesting comments on here, thank you.
Some were actually NOT "comments", but requests for further details
http//www.forensicfocus.com/Forums/viewtopic/p=6573187/#6573187
With all due respect, this
I imaged 3 laptops in under 1 hour yesterday (over 1.5tb), using 1 BALLISTIC Kit.
is another (nice) piece of anecdotal evidence, but it is not yet clear (at least to me) WHAT is this "Kit".
Member markl1975 posted about it being a "software only", you now talk again of "hardware"
The cost of the software (and hardware) is to reflect the investment MCMS have put into the project (it is a 3 year licence and there is a development roadmap for new features).
And you should still IMHO reply to the point raised about re-distribution of a Windows PE, which I believe it is not-so-trifling. 😯
jaclaz
I received this from Microsoft this morning while trying to see if our company can use a WinPE/WinFE boot solution.
"I know some of our tools such as DaRT runs on WinPE. DaRT is a standalone toolset available to customer as part of MDOP. It’s a more full recovery environment. If you want to run Win PE for other general purposes, I don’t think we license in that manner anymore."