tomorrow, I will start a big job. Involves in local politicians…
My job is only to do a forensic copy of a few drives. I don't investigate on them. it's a job of police.
I have got writeblocker wiebetech, FTK imager and xways
I think to extract data with FTk in encase format. Then I think to export them in another drive. This will be used by police to analyze data.
I need to preserve the date of the files. I Think to create a truecrypt volume, save in it the encase file, then I do a Md5 of it. The volume will be saved in the same drive.
Any suggestions?
Files dates will be preserved within the image file itself. The truecrypt colume on top of the E01 file is probably overkill unless you're worried about the security rather than the integrity of the data.
Well, why would you make your image EnCase-specific ? Are you sure the Law Enforcement will use EnCase ?
Personnaly I'd rather make raw copies of the hard drives, for more flexibility in the analysis.
I hate getting raw images. We constantly battle the issue of storage capacity, so I strongly prefer a nice compressed E01.
The EnCase format is pretty widely used by the majority of software types, if you capture a raw format then you limit the compression which in the real world is always kept in mind.
If you are creating the image in the EnCase format using FTK Imager you don't need to do a secondary MD5 or Truecrypt volume. The File format will preserve hash values generated during the imaging and verification process, if any data has changed then it won't verify on the investigators machine when processed within EnCase.
I think to extract data with FTk in encase format. Then I think to export them in another drive. This will be used by police to analyze data.
Talk to whoever is going to receive the images how to *they* want the images, what suggestions do *they* have for, say, splitting it into segments, etc? The thing to get right is the handover from you to them.
thank you all for the answers. I did the job today. I obtained to buy other drives. A few will contain the forensic copy. the others, will be used to inevstigate.
I used FTK Imager and I created encase file.
Bye
Tomhall911 stated, " The EnCase format is pretty widely used by the majority of software types … ". Have you seen the thread in the Yahoo's Linux_Forensic Group about the change in Encase's version 7's File format to Ex01 ??
Here is what the author of the also popular library - "libewf" said in this thread
Title - Encase has CHANGED the E01 File Format to Ex01
Reported in the Yahoo Group - Linux_Forensics - Ex01/Lx01 is actually a completely different format, at the lower level. Guidance has released PART of the format specification. Will there be a Libewf created for this new formatting ?? Doesn't look like it. A quote from jbmetz the developer of the libewf toolkit.
For now I lack the time to do anything serious on Ex01. It will be hard to implement if Guidance has only released part of the format, this is not an encouraging sign. It may be a Microsoft/Apple like move to use proprietary formats to force others to license their new format as an additional revenue stream.
It's probably a better idea to encourage Guidance to support the open AFFLIB evidence format. Access Data's Forensic Tool Kit and FTK imager already support it. It would be a lot nicer for us if the commercial forensic software companies supported open formats as well as opening their proprietary formats D .
Checkout this link to libewf and the response to a request for Ex01 support
http//
Even if the Forensic Community supported "jbmetz's" time and effort to support this new format, he does not have all that he needs for the specifications and, at this time, it may be unlikely that he would receive the information, in a timely manner, to support his work on including this new format, soon.
HWallbanger
Even if the Forensic Community supported "jbmetz's" time and effort to support this new format, he does not have all that he needs for the specifications and, at this time, it may be unlikely that he would receive the information, in a timely manner, to support his work on including this new format, soon.
My comments to (hopefully) kill off this FUD.
First to clarify that statements are easily taken out of context.
My original statement was
http//
> For now I lack the time to do anything serious on Ex01.
This was added by the poster on the yahoo group.
> Will be hard to implement if Guidance has only released part of the format, this
> is not an encouraging sign. It may be a Microsoft/Apple like move to use
> proprietary formats to force others to license their new format as an additional
> revenue stream.
My original words again
> Ex01/Lx01 is actually a completely different format, at the lower level.
The EWF2 format is quite different, if not, some small changes would have done the job to get support into libewf.
> Guidance has released part of the format specification.
If you want to get a sense what information is missing look at the current version of my working document
http//
The good news that came out this apparent FUD is that I'm talking to Guidance Software to see if they can provide me with the missing information. So expect new alpha versions of libewf with Ex01 support, hopefully soon.
Just curious why anyone would use FTK imager to take disc images when they have access to Xways which is about 10 times faster and more reliable at imaging…