I havn't done this yet and I probably need to do it just in case the evidence files I'm viewing have a virus or are corrupted in some way; and infect my forensic machine. The question is how and I have limitations I'm working with. Currently, I'm using a laptop for aqusition (firewire 800) with an external HD (again firewire 800) for storage…..pretty fast. I'm also using the laptop for analysis…thats my limitation. How would I go about coping my forensic laptop hd (maybe ghost) and then reinstalling it if I get a virus. Possible XP Restore might work? Any other ideas would be appreciated.
I personally prefer to use a "pristine" image for each exam I do. I usually will DD a clean install (Win/Linux) to a external drive, move it back to a partition on my forensic box, and then restore the image each time I start a new case. If I am using a Windows OS I place the image on a ext3 or Reiser partition so that a "virus" cannot corrupt it. Ghost would work to.
partimage is even better than dd. It only stores the data, not the unused sectors. Of course that is great for backups but not for forensic images.
Boot from a Knoppix CD. Run partimage to copy your internal HD OS partition to a file on an external drive.
Do the same in reverse to restore.