All - I've been learning how to use Helix in the unlikely event our Talon fails to complete a forensic copy of required collections. I'm trying to implement a backup plan for our investigators while on-site with a client.
Can you help me determine the best way to obtain a forensic copy of a hard drive using a laptop and Helix v1.8?
Harlan - great site and your new Windows Forensic Analysis book is excellent.
Kris
> Can you help me determine the best way to obtain a forensic copy of a hard drive using a laptop and Helix v1.8?
Live image - Put the Helix 1.8 CD into the system you're going to image, walk through the selections in the Helix interface, and have the output image file created on a share, or sent to the laptop over TCP/IP using netcat.
Post-mortem Image - Same thing, except boot to the Linux side of Helix and use dd.
> Harlan - great site and your new Windows Forensic Analysis book is excellent.
Thanks. If you have any comments on the technical content, I'd greatly appreciate it.
Harlan
Post-mortem Image - Same thing, except boot to the Linux side of Helix and use dd.
or use dcfldd which also includes some extra functionality e.g. hashingdcfldd --help or use Adepto which provides a GUI and a chain of custody report on conclusion.
> Harlan - great site and your new Windows Forensic Analysis book is excellent.
I agree, it has a lot of depth to it, atm I'm speed reading it due to current work commitments. Looking forward to getting time to digest it properly.