I receive three cases today and i want to gather raw image of folder c\abc, abc folder around 3.5 G byte, if i use dd if=/sda1/abc of=/sda1/output/abc_acquire.001, will it able to capture the raw image?
my second questions is how much storage we need for forensic workstation, in one case, disk size is 1T, if i capture raw image, and i put into my forensic workstation, then the second case come, i need to delete the image to make room for the second case (assuming his disk is 1T) and my forensic workstation is only 2T size
so do we need to buy forensic workstation with 30 T disk size?
I receive three cases today and i want to gather raw image of folder c\abc, abc folder around 3.5 G byte, if i use dd if=/sda1/abc of=/sda1/output/abc_acquire.001, will it able to capture the raw image?
And you want to store it on the SAME device? 😯
Anyway dd does not work with folders, there are workarounds, but it actually makes little sense to binary image a folder as all the relevant filesystem metadata will be lost, see
https://
my second questions is how much storage we need for forensic workstation, in one case, disk size is 1T, if i capture raw image, and i put into my forensic workstation, then the second case come, i need to delete the image to make room for the second case (assuming his disk is 1T) and my forensic workstation is only 2T size
so do we need to buy forensic workstation with 30 T disk size?
No.
You need an adequate number of suitably sized disks that you can add to your workstation (and remove from it to put into storage).
Typically e-sata or USB 3+ connected disks are used, but also NAS (of course you need a GB lan).
You DO NOT delete a disk image, you store it (hopefully in more than one copy) until the case is closed.
jaclaz
Try using E01 with compression to reduce the size of the image for long term storage.
let me use a example, my friend send me the dd image with hard disk ABC size 0.8 T.
I need to buy another portable hard disk XYZ and attach to forensic machine, then mount abc to xyz?
i normally mount abc to forensic machine itself, not another hard disk, pls clarify.
using e01 don't help too much.
my second question is do we have to buy encase specific forensic workstation for cybersecurity investigation or we can use any kind of workstation ( like dell, hp)
let me use a example, my friend send me the dd image with hard disk ABC size 0.8 T.
I need to buy another portable hard disk XYZ and attach to forensic machine, then mount abc to xyz?
i normally mount abc to forensic machine itself, not another hard disk, pls clarify.
using e01 don't help too much.
Let's clear what (normally) is the procedure
1) you acquire the ORIGINAL hard disk (the physical device)
2) you (not your friend, not someone else, unless he/she is a qualified member of your same laboratory/organization) make properly a forensic image of the hard disk, storing it on some media (a single, separate hard disk or some other storage media containing also other images) and verifying that the hashes of the image match the original [1].
3) you do whatever you need to do on the image, never touching again the original, whichis stored as evidence.
4) after you have done the above you verify that the hashes of the forensics image have not changed
5) you keep the image (usually, but not necessarily together with your findings, notes, reports, etc.) and the original until the case (or at least surely the part of the case in which you are involved) is closed definitely (and then you may delete the image and re-use the media) or you pass the whole stuff to someone else (respecting the normal "chain of custody" procedures), be it someone else in your laboratory, some authorized people, etc., this may take years during which you will likely be required to make other copies of the image (for the defense, for some third party experts, etc.)
6) profit!
my second question is do we have to buy encase specific forensic workstation for cybersecurity investigation or we can use any kind of workstation ( like dell, hp)
Do what you feel confident with.
A professional forensics workstation (the idea of a "encase specific" one is simply crazy) is nothing but a very powerful kit of hardware assembled with good quality and suitable components by a professional.
By getting a commercial machine (possibly tweaking this or that aspect of it) you will save thousands of dollars, and as long as the machine is adequate (in speed/RAM, etc.) it will work just fine.
See this for an example
https://www.forensicfocus.com/Forums/viewtopic/t=16920/
Now, as a side-side note (and of course only if you wish to do so) you could spend a few words describing your current situation.
From the questions you asked/threads you started you seem sometimes a student, some other times a security/intrusion investigator, sometimes an IT personnel in some generic, not forensics oriented firm, sometimes a digital investigator in a professional environment…
Mind you there is nothing bad (nor good) in being in any of the above roles/occupations (or something else for what it matters), but if you are looking for answers, they may be more targeted to your actual *needs*.
To stay in the forensic workstation topic, one thing is if the machine is to be used in a 24/7 laboratory, possibly over shifts, another thing is if you have one case per month that you look at in your spare time.
jaclaz
[1] It is not uncommon to make an image, storing it to a separate disk for "archiving purposes" and then make a second image stored on a NAS or similar for "working on it".