First off, my apologies if this isn't in the proper forum or if this has been answered before. Most likely, it has been addressed, but as I'm fairly green in this field and still not clear on all the terminology, I may not be fully comprehending the information provided in other posts.
Anyway, here's the details pertinent to what I'm trying to work out
Sometimes in response to potential breaches, we need to remove a drive from a desktop system so that our security folks can perform forensic analysis on the drive. As this can take time, we also need to get the enduser's data back to them so they can continue working prior to the forensics on the original drive being completed.
Up to now, we've been doing this by using registry keys to block USB writes, slaving the breached drive using a USB cradle, and then copying off the necessary profile to restore to another hard drive so the data could be made available to the end user.
This usually worked fine with WinXP, but with Windows 7, access to directories on the slaved drive is blocked by the OS security, and the security settings can not be changed without writing to the slaved drive. Writing to the drive could conceivably mess up the crime scene prior to forensics, so this isn't an option.
In short, we have a need to duplicate Windows 7 drives without altering the contents of the original drive. Ideally this can be done effectively with open source tools or at a fairly low cost.
I'm hoping that the forum members here can point me towards tools which meet these requirements.
If there's additional information I need to supply, please let me know. Thanks.
You are talking about cloning. There are a host of tools to do this and it is built in to the major forensic suites.
What do you have available? Ghost works for this kind of thing and you could also use the Windows version of dd or any of the specific linux based cds that are around that will do the job safely for you, but I would advise against the registry key technique as I have never been thoroughly convinced that something isn't touching the evidence drive in some fashion. You may want to invest in some write-blocker hardware as an extra safety net.
There are lots of alternatives.
I assume that in the past on your XP systems, you were only copying some of the files off the HDD to give back to the user. Not doing a copy of the whole drive.
You will only have problems with Win7 file permissions if you go through the Windows file system to access the files.
To avoid the file permissions you can either do a low level copy of the whole disk, e.g. make a disk image and then extract the few files you want from the disk image, as it doesn't matter if you write to the image to change permissions if your investigation is being done on the physical source drive. There are lots and lots of options to make and mount full disk images. Including our own self booting solution (free open source).
http//
If you didn't want to take the time to duplicate the whole drive, but still needed a few files copied off, then you can use a tool that by passes the file system and directly reads the structure on the disk (ignoring permissions) to copy off the files. There are a few packages that can do this. Including our OSForensics software, which is free for personal use.
PM me if you need more info.
In short, we have a need to duplicate Windows 7 drives without altering the contents of the original drive. Ideally this can be done effectively with open source tools or at a fairly low cost.
Your first stop should be those you call 'our security people' who are doing the analysis. They (presumably) know what they need, and how they prefer to get it. (If you supply a Ghost image and they prefer EWF images, it just will add delays to your work process.)
Apart from that … start by examining one (or more) of the free/inexpensive live CD solutions that are available. You can find some listed here http// www . forensicswiki . org/wiki/Tools#Forensics_Live_CDs .
You need to verify that whatever you decide use can support the hardware present in your systems. Probably not a major problem, but if there are some unusual disk controllers somewhere in your organization, you will sooner or later have to deal with them (or rather any lack of support for them in your chosen platform).
Thanks very much for the responses. Yes, it is cloning that I need to do. I do need to talk with our security group further to better understand their needs. Currently, we hand over the physical disk, but it would work better to hand over a file instead. I'm checking out the Forensics Live CDs, OSFClone, and setting up a meeting with security as my next steps.
Again, thanks very much for the useful guidance provided.