I was wondering what most expreienced FE's use in the field to aquire an image of a HDD.
I was thinking of a laptop, FTK Imager, write-blocker and external USB/Firewire hard drive. Im open to other set ups.
Also, is it prudent to do a "disk to disk" copy, make an image, or do both?
Any suggestions or comments are welcome.
Happy Holidays to all on the Forum
Our field guys are equipped with small-footprint Shuttle PCs rather than laptops. Although they still need a mains power supply and external keyboard, monitor and mouse, they offer benefits in terms of industry-standard and large-capacity components (I'm thinking specifically of large hard disks for bulk imaging). We get around the external peripherals issue by using portable flat panels and combined keyboards/mice.
We get called upon to image very large disks and arrays from servers as well as acquiring bulk backup media, so the ease with which we can swap hard disks is a real bonus, not to mention the availability of common components should anything fail in the field.
As well as the host PCs, we use write-blockers, EnCase and Paraben toolkits (depending on the analysis brief) and we include a digital camera with date and time stamp just in case we need to take contemporaneous images of a scene.
Thanks Thomas
I actually use Shuttles for my exam machines, I love them and seem to work well both for space and performance. I keep the cover always off for quick change of HDD & access to inside.
I gather you use a small LCD 15 " say, and great idea for keyboard/mouse all in one. I may just take your suggestion.
Thanks for the input. Oh yes do you actually copyHDD to HDD or do you make an image from the source to the target drive?
I had planned on copying the entire drive to the target drive in foeld, then make an image at my shop to work on the case.
Anymore comments welcome, thanks again.
Happy Holidays
Shuttles are great for easy access and they seem to perform well. The size is a great bonus when I have to sit with one on an aircraft!
We generally use small inexpensive 15" flat panels from Dell or somewhere similar. They're lightweight, fairly robust and the display quality is perfectly acceptable for the job, even though I wouldn't want to look at one all day long during the analysis stage.
We make a forensic image on site and then sort out the rest of the analysis back at base. I think it's the best way of preserving evidential integrity. If the distance from the office to site is particularly long (i.e. a flight away) we make two images on seperate hard disks. Travel can have a negative effect on computer kit and acquiring a replacement image can be problematic if one hard disk fails after transit.
Very rarely, a client will ask for the analysis to be done on-site too. In that case, we send out some more powerful kit by courier and set up a 'field station' at the site. Whatever happens, we always keep the forensic images in hand-luggage during transit to preserve chain of evidence.