I'd like to hear some ideas of what you would put on a USB thumb as far as programs for IR or CF live previews.
Let's say you have a 1gb thumb, they are fairly inexpensive now, and want to build one set of IR tools on one, and a second for CF live tools.
let's see shat we can cram in there.
Bill
For starters
FTK Imager Lite
Ethereal-WireShark (portable version)
NMap (portable version)
Candidates could be…
X-Ways capture
FTK imager
Taft
Winhex
Alan
> let's see shat we can cram in there.
"shat"??
IMHO, the answer really depends. For IR, if you're facing Windows systems, in an environment with connectivity, I'd load the ProDiscover server, as well as the FRU utilities. If the environment is not networked, I'd load a minimal set of tools so that the rest of the space can hold the output.
I don't see the point of putting anything on a 1GB thumbdrive for CF except for perhaps an acquisition utility (dd?). Part of the reason for that is that we had an engineer hit a Win2K system recently that didn't have drivers for generic thumb drives, and I've encountered FreeBSD boxes that didn't have a /dev/usb entry.
I don't know…maybe it's just me, but I can't see doing CF analysis from a thumb drive.
<I don't know…maybe it's just me, but I can't see doing CF analysis from a thumb drive>
I think I like that answer
I don't think the intention was to do a CF analysis. I would guess that the term "CF live preview" was used for a reason.
For starters
FTK Lite
…
What is it?
For starters
FTK Lite
…What is it?
Sorry i should have been more clear- FTK Imager that runs from a USB drive. http//
I think that would depend upon your intent – IR or Live CF. Another consideration would be platform specifics (win,linux,unix,etc.). I've only used thumb drives as a data store, great if system recognizes the drive! I prefer CD's for compatibility reasons.
I'm a rookie…so maybe this is not an important point.
When you use a Thumb drive doesn't it change the contents of the Reg and Main Memory?
Does each Thumb Drive have a unique Reg key?
If the system you are responding to, or executing CF on, was compromised/abused by an individual using the same brand (make and model) of pen drive, then how could you tell if the contents of the Reg and Main Memory are from your Thumb drive or the malicous one?
I'm having a little troube explaining what I mean…but do you get my drift?
Skip
EDIT Plus I've seen those smaller 250 meg CDs fit into a wallet. It was a bootable CD with Free BSD…I believe?