How to restore an i...
 
Notifications
Clear all

How to restore an image in a forensically sound way  

  RSS
KCForensics
(@kcforensics)
New Member

Hello, and thanks for reading.

I'm trying to understand the correct way to restore an E01 image to a hard drive in a forensically sound way. I'm trying to use EnCase Forensic Imager on Windows 10 to do this. It does restore the image successfully, but the hashes do not match the original image when computed for the hard drive post restore.

What is the appropriate way to achieve this?

Quote
Posted : 19/09/2018 4:38 pm
jaclaz
(@jaclaz)
Community Legend

Is it - by any chance - an image of a disk that is already connected to the system (i.e. are you indirectly making a "clone")?

NT systems will change on the spot the disk signature in such cases, as it won't have two disks with same signatures connected at the same time.

Check the first sector (the MBR) of the image comparing it with the first sector of the (restored) hard disk, if this is the case.

jaclaz

ReplyQuote
Posted : 19/09/2018 4:59 pm
jpickens
(@jpickens)
Active Member

Is the destination drive completely wiped and an identical size to the original drive?

ReplyQuote
Posted : 19/09/2018 6:19 pm
KCForensics
(@kcforensics)
New Member

Is the destination drive completely wiped and an identical size to the original drive?

Thank you for your comments. I thought I had the drive size correct, but it turns out the new drive is 1TB where the old was 500GB. That's likely my issue right there.

Question on that–with the way Windows can modify files when a drive is mounted–is that not an area of concern after restoration? For instance, you restore a drive successfully to another drive of the same size, but since Windows is consistently accessing it, would a file not be modified that would once again change the hash after restore? I'll try this experiment once I get my hands on the equal size drive.

Thanks again.

ReplyQuote
Posted : 19/09/2018 8:45 pm
dpathan
(@dpathan)
Junior Member

Linux dd command can be used to write images to disk. You can use opensource forensic tools ISOs to accomplish this. Paladin or CAINE both have many utilities to open, parse create and write disk images.

If you have utility that needs raw dd format, then use FTK Imager (its free) to covert E01 to dd.

After using any of these method verify your hashes. Make sure to use sanitized target disk to avoid unwanted data.

ReplyQuote
Posted : 20/09/2018 12:28 am
Aquachimere
(@aquachimere)
New Member

For those who have FTK licence, you have the restore disk option..

The logicube falcon can restore disk also from E01 to disk.

ReplyQuote
Posted : 21/09/2018 1:13 pm
KCForensics
(@kcforensics)
New Member

Thanks everyone for your comments.

Here is an update

If I restore the image to a drive of equal size, the hashes do match. However, at some point after that, Windows must continue accessing the drive that is connected (even though I'm not doing anything manually) because if I disconnect the drive, reconnect it via a write blocker and hash it again, they do not match.

So my question is–how does one effectively restore an image to a drive, and then prevent the Operating system from modifying it after that image is restored so you may disconnect it and have a forensically sound copy? Is Linux required and handles this better?

Thanks.

ReplyQuote
Posted : 21/09/2018 4:55 pm
KCForensics
(@kcforensics)
New Member

I got this to work successfully.

It seems the key is to do it quickly after completion, and also make sure and eject the drive properly from the PC. I'll test more on Linux systems to see if that's a more consistent option.

Thanks for your help.

ReplyQuote
Posted : 21/09/2018 5:53 pm
jaclaz
(@jaclaz)
Community Legend

Is Linux required and handles this better?

Yes and no.
Meaning, Linux is not required, but - greatly depending on the specific distro - may be easier to configure with automunt disabled and with a Read Only mounting than a Windows, though (I believe since Windows 7) you can turn of automount via mountvol.exe /N, and then after copying to disk the image, use diskpart to set the disk as read only before manually mounting the volume(s) in it (manually via mountvol or diskpart itself) if needed.

Another possible method will be to use a WinFE (a particular version of WinPE, Forensic Edition), that has provisions to not write to disks and volumes, basically
https://www.forensicswiki.org/wiki/WinFE

BUT depending on the source" OS behaviour may change, you'd better use (and validate yourself of course) a pre-made project, such as the excellent Misty's mini-WinFE
http//mistyprojects.co.uk/documents/Mini-WinFE/index.html

I don't think that you can use (yet) the "current" Windows 10 as source for the above, only earlier versions, like the Windows 10.0.14393.

jaclaz

ReplyQuote
Posted : 21/09/2018 7:13 pm
Share: