I’ve tried using prevx but found it a little annoying. My colleagues use it, and say they like it; however I am not overly concerned about infections, as I am careful with just what I extract out of EnCase (there is little that actually requires extracting for most cases), that combined with a good antivirus (AVG pro), which has never failed to catch the few malicious code I’ve encountered. Also I do not have my forensic workstation connected to the Internet (I have another machine for that purpose). Again that’s another topic in its own right.
Andy
Yeah I agree with most of that Andy; although prevx now has a 'suspend' option for when you are installing software.
I too keep my forensic workstation disconnected from the internet but I have a VNC connection to another PC which is connected so I can browse the web remotely to look up all the stuff you need to look up during an investigation without fear of contamination. Best of both worlds.
Cheers
For imageing tool..
take a look at NT Image from dan mares..
see
NT IMAGE >>>
make sure you read the help file….
cost is also very, very reasonable….
************
The Ntimage program is designed to be able to create forensic images (within the capabilities of the OS) while running directly under the NT, W2K, XP operating systems. One use of this program is to image a drive when the system cannot be shut down.
Other capabilities are:
* creating a disk to disk clone.
* create an output image file. single file, or sections to write to CD.
* create a compressed output file for easier storage.
* creating of a drive clone while simultaneoulsy creating an image file.
*
* Performing CRC32, MD5, SHA1, SHA2 (256, 384, 512bit), hashes on the drive while imaging.
* Performing CRC32, MD5, SHA1, SHA2 (256, 384, 512bit), hashes on the drive independent of the imaging.
* Performing CRC32, MD5, SHA1, SHA2 hashes on specific sectors of the drive.
*
* Wiping the drive.
Drives can be restored from any of the image file formats created.
**********************
Regards,
David R. Hibbeln
