Linux imaging tool other than dd

Encase has Linen,
though i have to admit ive never used it

Linen looks and feels the same as the old Encase DOS version.

There is also aimage

http//www.forensicswiki.org/wiki/Aimage

dcfldd - http//dcfldd.sourceforge.net/

Raptor has a great interface, but comes on a live cd - http//www.raptorforensics.com/Raptor_by_Forward_Discovery,_Inc..html

dd_rescue - http//www.garloff.de/kurt/linux/ddrescue/

sdd - http//directory.fsf.org/project/sdd/

AIR - http//www.l0t3k.org/security/tools/forensic/

sleuthkit - http//www.sleuthkit.org/

grab - http//digfor.blogspot.com/2008/09/grab-adepto.html

http//www.digitalforensics.ch/nikkel05b.pdf

Hi Matt,

There are many tools that can be used for acquiring, but the key ones in my experience are;

ddrescue (not underscore version, but GNU version)

SMART

dc3dd

aimage

ddrescue is superb in working with I/O error drives, and SMART has a simple, easy to use graphical user interface and unique capabilities in acquisition.

Cheers!

farmerdude

www.forensicbootcd.com

www.onlineforensictraining.com

excellent, thank you all for your input
Matt

Hi,

the most importang / usefull one IMHO are the libewf based tools

http//guymager.sourceforge.net/

https://www.uitwisselplatform.nl/projects/libewf/

Because they are able to write EWF-Format, which is "standard".

Regards,

Ralf

You can actually "cat" hd's into an image file. I.e. # cat /dev/sda1 >> /mnt/usb1/diskimage.dd

It's a quick and dirty way of getting it done…

(just for informational purposes only)

I am surprised no one mentioned FTK imager from Access Data.

I use linen quite a bit and it works well for me. Using it from the Helix 2009 R3 live disk.