Imaging a hard drive - where to begin?
I am curious know how everyone here images their hard drives. Perhaps its best if I just give a simple scenario:
You have a Windows personal computer that has been shut down normally. What is your usual step by step method for taking an image of this machine?
Not sure if this will help but heres what I tend to do. If I'm on-site then i'll use an EnCase bootdisk but you can just as easily use SafeBack. If the drive is sent to me then I just pop the drive in our write-block carriage and aquire it via EnCase or I'm really becoming partial to GRAB on Helix, you can also use that if you're onsite. Theres lots of ways to do it, just depends on whats in your toolbox I suppose. In other occasions you could use the dd-gnu.exe (it's in Helix binary utils for win32 package) but I don't consider than forensically sound.
Get to know your options cause some will work better in different situations than others, but always try to make your imaging and acquisition forensically sound.
It does not really matter which tool you use: dd, encase, FTK Imager, blah… as long as you pay attention to the following mainly concerning the Chain of Evidence:
- note PC brand / type / service tags / internal company tags etc, anything to uniquely identify it
- screw it open and take out the harddrive(s)
- note HDD brand / type / serialno and capacity
- image it
- note MD5 / SHA
- record evidence PC BIOS time/date (very important)
- check for CDRoms, floppy's, etc
- timestamp and sign the evidence list
- put everything back and lock away 🙂
I prefer to use Encase and a firewire blocker to image drives when possible. This applies to both desktop and notebook hard drives. If this isn't possible or practical I'll use the network acquisition via Encase.