Hello All,
I'm having problems using Helix 3 Adepto to grab a forensic image.
Details are below, but I'm definitely a rookie at this…
(Also, I should note this is for my own education, not fooling with
evidence files).
For my source, I used a 20.2GB PATA drive running through a hardware
write-blocker (WiebeTech Ultradock) to a Asus Laptop (i5, 500GB
Seagate SATA) and a 500GB USB external hard drive (Seagate) for
capture.
Using a Helix Live CD on boot up. I confirmed the MD5SUM for the burned ISO, matches the original.
I mounted both drives using the Helix GUI.
Using the terminal (sudo fdisk -l and blkid -l), I confirmed source drive and wiped drive identities (sdb and sdc1).
I then opened Adepto, and followed what appears to be fool proof steps to acquire the image. I can select both source drive and destination drive, so "looks" like it will work.
But this has failed, repeatedly. I get a few mb of transfer and then an immediate "VERIFY SUCCESSFUL". This all happens with 5 - 10 secs.
According to the log, the verification is successful because there is no md5sum generated. And obviously, no data transferred.
To try and isolate the issue, I then used two USB sticks as the source and receiving 'drives'. No luck there, same output.
I've formatted drives as FAT32 since I know without ntfs-3g recognizing such drives adds a little more complexity.
I've also tried manually mounting in Terminal as I've read that sometimes Linux (Hardy version) can be a problem when dealing with USB connections.
I believe my syntax for manually mounting may not be correct - see below. But it has apparently worked nonetheless (given that I've already mounted with the GUI and get a return message "already mounted").
mkdir myusb
mount /dev/sdc1/mnt/myusb
Thoughts on where I'm going wrong? Or better alternatives to avoid these problems? Backtracker for instance? Everything I find online suggests the issues I'm having are just not issues that others run
into (e.g., inability to acquire an image). Embarrassed to say I've spent 20+ hours just trying to acquire an image! Crazy.
Thanks in advance.
Just thought I'd 'close' out my own thread. After reviewing the log file, I added the rw command to my terminal command and was able to finally acquire the image. Hopefully another newbie will save himself or herself some time in a similar bind from a dumb mistake.
you shoud use ftk debian imager we didnt have any problem with it
Hi Ryan,
I have been using Helix 3 for sometime and have encountered a simliar problem during the early stages mainly through my own ignorance.
The drive your are reading should appear with its identifyer etc and which should match the size of the drive etc. However, I think your problem may be with where you are writining the image to. Make sure that the output drive is mounted in read/write mode and that you can visably see the contents before you start your imaging process.
Good luck
Richard