General Encase Questions.

Compression rates depend on the data

EXEs and programs typically compress to about 70% original size
Text to about 20% original
JPEGs do not compress
Blank space to about 5% original

1. If you want to acquire a 80GB hard disk, how much space will you need in your forensic's machine local hd?

Depends on your settings. EWF (E01) has adds some overhead in constract to RAW (dd).

as far as i remember encase splits the image on E0,E1..EX files of 1GB, does it uses some kind of compression ?

It can use segment files; EnCase 6 allows for > 2 GiB segment files
It uses zlib/deflate (RFC1951).
For more info check the file specification working document on http//sourceforge.net/projects/libewf/

Note that compression is a speed trade off, especially within EnCase. Other imaging tools like guymager, Tableau imager can do compression at little to none speed costs.

2. While i was searching about scsi hd drives acquisition i read that if the drives are on a raid array it is better to use helix to acquire an image.

This depends on your needs, you could image all disks in the RAID set and reconstruct the RAID set. Or you could create an image of the RAID volume.

Again, if we are talking about an acquisution of a 180GB scsi hd drive, will i need the same hd size on my local hard drive

My advise; prepare for the worst. BTW disk storage is cheap so buy yourself a couple of x TB sized disks.

My advise; prepare for the worst. BTW disk storage is cheap so buy yourself a couple of x TB sized disks.

mrgreen mrgreen

Well…i have been told to acquire about 20hd's but they haven't told me their size, yet…

Well…i have been told to acquire about 20hd's but they haven't told me their size, yet…

In that case also a good book 😉

About the raid volume, do you think it is easier to acquire the whole volume once rather than each disk separately and rebuild the volume after ?

If i choose to image the whole volume, should i do it with helix ?

Thanks for your help.

About the raid volume, do you think it is easier to acquire the whole volume once rather than each disk separately and rebuild the volume after ?

I cannot provide you with much of an answer here. This will highly depend on your situation, the scope of the investigation and/or (evidence) seizure procedures.

Note that imaging the RAID volume can be slower (e.g. server with USB-1) or tricky in some situations. Often you'll have to make a judgement call at the moment of truth.

If i choose to image the whole volume, should i do it with helix ?

Helix a viable option, but you might want to make yourself up2date on the subject as well, e.g. http//www.forensicswiki.org/wiki/Forensic_Linux_Live_CD_issues

I personally like to have a couple of other distros with me as well. In case one of them doesn't work. As I said prepare for the worst and don't forget the book 😉

di.al

Just wondering - are you doing this as a student exercise, a hobby, or providing some professional service?

H

di.al

Just wondering - are you doing this as a student exercise, a hobby, or providing some professional service?

H

Mostly from hobby, i work as an IT admin )

About the raid volume, do you think it is easier to acquire the whole volume once rather than each disk separately and rebuild the volume after ?

I cannot provide you with much of an answer here. This will highly depend on your situation, the scope of the investigation and/or (evidence) seizure procedures.

Note that imaging the RAID volume can be slower (e.g. server with USB-1) or tricky in some situations. Often you'll have to make a judgement call at the moment of truth.

If i choose to image the whole volume, should i do it with helix ?

Helix a viable option, but you might want to make yourself up2date on the subject as well, e.g. http//www.forensicswiki.org/wiki/Forensic_Linux_Live_CD_issues

I personally like to have a couple of other distros with me as well. In case one of them doesn't work. As I said prepare for the worst and don't forget the book 😉

Thank you joachimm.