Sleuthkit
Really?
EDIT I guess I should elaborate. If you were to use Sleuthkit to acquire an image what command would you invoke?
For me there is one real advantage, and it is simply a practical one I receive a lot of evidence from law enforcement agencies, 99% of the time in Encase format. Should I be asking them to provide raw images? What would be the advantage to doing that?
Seriously, folks. Tools are tools. Whether you prefer a 16 ounce hammer or a 20 ounce hammer is your choice.
I live in a practical world with lots of work to do. I have yet to find a problem with using the Encase file format versus some other format.
Also DD images can be a major pain when you have to supply a single wiped drive for every image in a large case.
So what is the significant advantage to using something else?
Does DD magically find more bits than FTK Imager or Linen? No.
Oh wait, maybe the advantage is that you can run open source tools against DD images. That is pretty easily handled if you need to do that by simply converting the Encase images to raw.
I use some open source tools, but not that often. They are not my preference for day to day work.
So I guess I don't really see the point of this discussion other than the old open source versus commercial argument, ad nauseam.
http//
This might be interesting for some of you. Some of the NCJRS stuff is dated.
Thanks.
Short version
Raw gives you more options then E01
Raw is faster
E01 is fine if all your tools will deal with it
E01 is probably going to cost you a little more to use
Long version
I think I get what Farmerdude is getting at, and it's not some intellectual argument about whether free/open source has better karma or whatever. The argument is about the range of usability.
Every forensic tool - and a lot of non-forensic tools that could be used for evidence gathering purposes in a R/O mount environment - can read dd/raw. Not every tool you would conceivably use reads E01.
I can mount a DD in linux/bsd without having to buy any tools. For years I used to mount all my images in BSD, share across a network with Samba, and do my virus check. It was easily as efficient as doing the same thing in windows with MountImagePro, or whatnot, but without the cost, and without having to validate another tool.
The whole CRC argument is a red herring. I've gotten around corruption issues by always having more than 1 copy of my image. In fact, I generally have the original raw unsplit dd image, a zip'n'split compressed archive copy of the dd that I never touch again, and a split copy of the dd for windows file system compatibility. The working copies are verified at acquisition time, and again at case completion.
(Oh, and farmerdude, CRC is not intended to stop intentional alteration, it's intended to identify data corruption.)
This method works particularly well in tool validation because I can do a quick carve with the dd skip/count commands and prove my results in seconds. I challenge you to validate your tools against an E01 image manually. Of course, Guidance didn't teach tool validation last time I checked, so many EnCase users probably don't consider this issue.
It's also a lot easier to convert a raw image to work in a virtual environment if you want to take their system for a drive.
If I get given an E01 image to work with, then obviously I work with it. You'd have to be incompetent or an asshat to send an E01 back and insist on raw.
I simply use dd/raw as my starting point because it gives me speed and a lot more options on how to use it.
Greetings,
So, to summarize, the dd/raw format works well for the methodology and tools used by some of us and the E01 format works better for others. Neither one is "wrong" and neither one is better than the other in all situations. Finally, you can get from one to the other so if you don't like the evidence's original imaging format, you can convert it without jeopardizing chain of custody or integrity.
Fair enough?
_David
FTK's Linen is uncomfortable and really slow. Guymager is easier to use and faster than any other imager. You can try it for instance from the FCCU live CD.
FTK's Linen is uncomfortable and really slow.
FTK Imager or EnCase Linen is really slow?
I often use FTK Imager from a BartPE disk because it has that Windows look 'n' feel and you know stuff like USB drives will just work without having to faf around with mounting the right drive etc.
Don't the discussion points (I hesitate to use the term 'arguments') for or against E01 files apply equally to AFF?
Paul
To Bithead It should read "Guidance's Linen is uncomfortable and really slow."
And it's speed display is false, it runs even slower than displayed (at least on my test computers).
Acquisition via Guidance's Encase is slow.
Acquisition via FTK Imager is fast.
Acquisition via Guymager is the fastet.
To bongojazz No mounting is required for doing an acquisition in Guymager. Just start Guymager and acquire any number of connected devices in parallel.