I am looking for a low level disk analysis tool like EnCase which I can run from USB/CD on a live machine I am investigating.
I want to "EnCase green plate" the disk and sub folders and create a timeline of file activity across the disk of the "created timestamp" and scroll through each file and preview individually. This is pretty simple using EnCase.
Does anyone know of any tools which can do this without installing EnCase on the machine I am investigating? I dont have EnCase Enterprise.
Running FTK Imager lite from USB/CD only shows the modified time stamp and only for the current folder. I want to be able to do this without taking any memory dumps or images, I need to do it live without acquisition. This is not for evidential work.
Any thoughts or suggestions would be very much appreciated
Matt
X-Ways doesn't require an installation, of the top of my head.
Maybe you can use a client server solution like f-response and combine it with Encase.
If you have an Encase 7 license you can create a servlet and use it like Enterprise but only 11.
You can do it with OSForensics as well. There is a function to make a USB install, then you can run it from the USB drive on the live machine and do a File Name Search across the whole drive. From there you can sort by Create date or view the Time Line as a graph.