LinEn Help

The first time i tried it the process fell over at 44% with no error message and just shutdown LinEn. I have now managed to get it to go up to about 90% by changing all the options to the maximum but it then came up saying 'Error writing evidence file'.

Um … Linen is not standalone software, so you have to be running it on some Unix platform. What platform is that? (And what Linen release?)

Since you probably have some kind of Unix there, what did its logs say about your problems?

Any ideas what i am doing wrong?

Is the hardware you're using something you *know* works correctly? Computer, USB-connection, the lot. If it isn't, perhaps that the problem – look for failing memory (I always run memtest before imaging on unknown hardware, for example), or perhaps a PSU that is beginning to lose its grip … or, if this is a laptop, a battery pack that is glitchy, and should be removed while you're imaging.

your destination drive needs to be FAT, it won't work with NTFS

your destination drive needs to be FAT, it won't work with NTFS

This isn't true for recent versions of LinEn. If you download the Knoppix with LinEn ISO from Guidance Software, it will let you connect NTFS-formatted HDDs.

Jammie_b when the second error occured, could it still detect both drives OK? If not, which one was disconnected? This might lead you to the problem.

Thank you everyone for your advice, it is the latest version of the LinEn disk that i have, as i got it on the EnCase CF1 course last week.

I must admit i did not take a really close look when the error appeared but i believe i could still see both drives. I will have another go with a few of the suggestions made and see how it goes.

The machine that i am imaging is quite an old laptop so i did wounder if the laptop may cause the issue.

Thanks again for the advice and i will let you know how i get on.

Sometimes is the little things like a crappy cable - you swapped that to the USB drive?

Yes, a process of elimination.

Try swapping the cable, then swapping the external drive, then swapping the imaging software.

If the external drive is the small bus powered type, try using a larger self powered external drive.

Also check the laptop isn't overheating. e.g. it's internals full of dust

You could try our free OSFClone if you think it might be a software issue,
http//www.osforensics.com/tools/create-disk-images.html

The Guidance bootable CD has an alternative imaging solution in 'ewfacquire' (Expert Witness Format). I use it on a regular basis as I've found it works up to twice as quick, which is always good in imaging scenarios.

Load the CD and boot to the option menu.
Select option 5 for 'console'.
Type fdisk -l to display a list of connected devices. Normally I do this with nothing attached first to see what is being seen internally of the computer. Now add your target device (USB) and type fdisk -l again and you should now see your target drive. These will be in the format /dev/sda /dev/sdb etc. Check the drive sizes to make sure in your mind which is your source and which is your target as things could get messy!
Now make a temporary directory in RAM by typing mkdir /image
Now you need to mount the target drive and mount the temporary directory onto this device by typing mount -o rw /dev/sdb1 /image. Note that your 'dev/sdb1' might be different dependant on a number of factor but effectively this is the logical partition (not physical) on the 'dev' where you are putting the image. Also, note the space between sdb1 and /image.
Now you are ready to start ewfacquire. You need to add switches which indicate which device you are imaging. ie ewfacquire /dev/sda (physical, not sda1)
Ewfacquire will guide you through the option which are all self explanatory. Just remember to enter the path as follow which pushes the image to where you mounted the temporary folder /image/filename with no extension

Quick and easy

regards

You could try our free OSFClone if you think it might be a software issue,
http//www.osforensics.com/tools/create-disk-images.html

Thanks for this. Never knew it existed and adds nicely to the toolkit (and more user friendly than ewfacquire by the looks of it!)

Shep

Thank you all for your help with this, think i need a lot more practice as this was my first time using the LinEn disk but i formatted the destination drive as FAT 32 and it worked like a dream.

I will also be having a go at the method that shep47 has outlined as this looks like an good alternative. I am keen to learn as many different methods as i can to widen my knowledge.

Definitely a lot more playing about and experimenting to be done on my part when i get the time. -)