I have trying (TRYING) to create a Win7 Test image for a Basic Class, seeded with the appropriate things to give an overview of what a Working and used PC would look like.. Programs and data etc.. but I am limited to an 8 gig Thumbdrive as the "RECEPTOR" of the blown out image. I want to have the students IMAGE the Thumb Drive as original Evidence..
So I have created a Small 7+ gb Partition on my Notebook.. Installed Win 7..created users and such..got the email and everything.. but 8 Gigs is so Limiting I end up messing with the partition size a bit…then the resulting image is too big to be RESTORED to the Thumbdrive… Then I delete stuff, which over writes my Unallocated space… Grrr..
So it's a very frustrating experience to keep all in balance.. Anyone find a Good way of doing this. I wonder if you could do something like this in VMWare and then get a good image..??? Hmm..
Sorry..but I had to vent while I WIPE the thumbdrive for the 5th time…
Maybe do a Martha Stuart solution? You create a small test image like what you are doing and make a raw image of it yourself. You can still have them make an image of the USB device so teach them how to make an image.
The advantage of this is that all of your students will have your analysis image available to them in case one or more of them run into trouble on the imaging side.
Yeah, I may have to do that.. One last attempt this AM before I have to Put on a Porch Roof.. Ah the Nail gun will allow me to relieve the stress!
Hi,
I have been doing something similar - my workaround was to create a VirtualBox machine and then you can either export the machine which compresses the drive or alternatively you can boot the VM to a caine live iso image and create a forensic image file on the host machine using shared folders (or in your case straight you might want to use the USB device). You can use ewfacquire (on the caine distro) which will create an EnCase compressed image.
Paul