I'm completely unfamiliar with this field; hence the very basic question.
I have been asked to provide a copy of a few select files/folders in a forensic format. I see from the little bit of research I have done (Google, this forum, reference to Paraben and Logicube websites) that you can create a perfect image copy (sector-by-sector or bit-by-bit; I don't recall the precise terminology used) of an entire drive. However, I have not found anything that would suggest I can make a copy of a single file or folder in forensic format, particularly onto an easily tranportable medium such as a jump drive or a CD. Is there a way to do so? The files/folders are on a machine running Windows 7, 64-bit (upgraded from original Vista installation).
Thank you for your assistance.
Ken
Apologies, incorrect info provided. I'll try harder next time!
are you trying to image one individual file? Although I have never actually tried to do this and so haven't done any extensive research I dont think that is possible. You would have to image the whole hard-drive before then going through it (if this is going to be a one-time thing I'd recommend using free forensic software such as Autopsy) to locate and extract the particular file(s) that you wanted.
Do you have the direct file path from your client? This would make locating the file significantly easier once you've imaged the hard drive.
That is correct. What has been requested is copy of a few specific files (some Word documents, .pdf documents, and emails contained in readily accessible working folders), so direct path is known.
You refer to imaging the drive then "extracting" the files. I had thought about the question along similar or maybe the same lines. But I was thinking that the whole drive would be imaged and then everything else other than the subject files removed (like dusting away dirt from around fossils in the ground); that left me wondering how to go about doing that, since there would be far, far more on the imaged drive that I would not be able to see and/or understand what I was seeing, so I wouldn't have a clue how to do such "dusting away."
On the other hand, if I were to image the drive then make some sort of copy of the files from the imaged version of it, wouldn't I still be in the same situation of trying to make a forensic-format copy of just the specific files (albeit off of the forensic-format image of the drive instead of off of the "working" drive), thus presenting the same problem?
If you just need to preserve specific files or folders with a checksum you can use FTK Imager to create a 'custom image'.
If you just need to preserve specific files or folders with a checksum you can use FTK Imager to create a 'custom image'.
I am looking at the manual quickly and see instructions for custom carving. Does that include specifying specific file names to copy over?
Also, the request expounded on the term "forensic format" by indicating that it would "reflect the original signatures of the electronic files." I don't know whether checksum data alone would suffice for requesting party's purposes; any idea whether FTK Imager-created files would include such "original signatures?"
Thanks for the assistance/guidance here.
However, I have not found anything that would suggest I can make a copy of a single file or folder in forensic format, particularly onto an easily tranportable medium such as a jump drive or a CD. Is there a way to do so?
Of course there is. The physical image format you mention is 'trivial' in a sense, as it records the layer 'below' the file system as long as you can grab all the sectors that are used for the file system, you have also grabbed everything else that is relevant, and in some sense of the word created a 'perfect' forensic image.
But with single files, or directory trees, it gets more tricky as you can't grab everything (by definition, as it were), you have to define just what information you are interested in, and then record that.
The overt information (i.e. the information any computer user could access) is easy enough – well, you can use many forensic tools to create a so-called logical image. (Some extend the term 'logical image to mean *all* files, and use the term 'targeted image' or some such to indicated a selection of them.)
If you have and use some forensic tool kit, check it out for logic imaging or acquiry. Otherwise, try FTK Imager (free download from AccessData), and 'Create Disk Image …', and select 'Contents of a Folder'.
I haven't checked it in detail, but I suspect any good file archive tool will work too, as long as it records all the relevant metadata you're after. The standard ZIP file format stores only one timestamp, for example, which does not count as 'forensic' for NTFS-based files, but if you use PKZIP for Windows, and take particular care to enable the relevant options (save file times, save alternate streams, preserve file attributes, etc), it would probably do reasonably well. If you also can include the $MFT or the relevant records, you would get some additional attributes that might be useful. Off the top of my head, I would imagine that a good backup program that's capable of restoring all attributes could be useful as well, but I have never studied those in detail.
However, there is no 'one size fits all' when it comes to this type of image. You have to know what you plan to do with the information, and, based on that, decide what information you need to extract, and then choose an appropriate method. Choosing a tool that produces an file set or image that can't be read by the tools that will be used for the analysis would clearly be a mistake, for example.
Thanks for the information.
Ken