As you know, we can restore a forensic image into an empty wiped hard drive. however, when you restore a forensic image, the target disk becomes a forensic copy of the forensic image, all sectors are copied and the rest of the space in the target disk is zeroed.
Now I have two forensic images and I have only one big empty hard drive. However, when I restore one forensic image, the empty hard drive is completely re-structured and partitioned accordingly, and the rest of the space is zeroed and you can not restore a second image into that target drive. If you try, it has to be re-structured again, removing the structure of the previously restored forensic image.
The empty drive is 1 TB and the 2 forensic images are less than 100 GB in size. I do not want to use another empty drive for the second image to be restored and I would like to restore both these forensic images into one empty drive.
Is there any way to do that?
Why do you want to do this? If you need to keep evidential integrity and store the data surely you could just copy the images onto the drive. If you need to test something with the drive then one at a time would be sufficient. If you want to restore a computer to its owner who had 2 hard drives then you could partition the drive and restore logical copies.
As you know, we can restore a forensic image into an empty wiped hard drive. however, when you restore a forensic image, the target disk becomes a forensic copy of the forensic image, all sectors are copied and the rest of the space in the target disk is zeroed.
Now I have two forensic images and I have only one big empty hard drive. However, when I restore one forensic image, the empty hard drive is completely re-structured and partitioned accordingly, and the rest of the space is zeroed and you can not restore a second image into that target drive. If you try, it has to be re-structured again, removing the structure of the previously restored forensic image.
The empty drive is 1 TB and the 2 forensic images are less than 100 GB in size. I do not want to use another empty drive for the second image to be restored and I would like to restore both these forensic images into one empty drive.
Is there any way to do that?
You are making new partition maps each time you restore a physical image so I can't see any way to overcome this issue.
Anyone know otherwise?
The empty drive is 1 TB and the 2 forensic images are less than 100 GB in size. I do not want to use another empty drive for the second image to be restored and I would like to restore both these forensic images into one empty drive.
Is there any way to do that?
You leave out a lot here. In particular, I think you leave out what constrainst you are working under.
Because, as you state it, the question is trivial
Of course you can restore multiple images into one hard drive – e.g. just dd them in place. (They won't be true images – that would requiring the boot sector in sector 0 … but it would be as close as you can come.) But … you yourself have to keep track of everything, and ensure that when you access these images, you do not access anything but the sectors belonging to the image. And, on the assumption that the case(s) will end up in court, you will have to convince someone that you were able to do all this, without getting the two images mixed up.
Me, I'd not even try – too much of a bother.
Is there any way to do that?
Define "forensic image".
A "normal", "dd-like" image of a disk is made of three "main parts"
- MBR (First sector or sector 0)
- Hidden sectors (legacy 62, "new standard" usually 2047)
- Actual partitions
- MBR CODE
- Disk Signature (only NT based systems)
- MBR DATA (Partition Table)
- PBR or bootsector
- Filesystem structures
- Actual files/directories
- BPB or Bios Parameter Block
- Filesystem structures
- Actual files/directories
[/Listo]
The MBR is made of three "main parts"
[/Listo]
Each partition is made of three "main parts"
[/Listo]
(extended partitions have an additional part, the EPBR, that contains just a Partition Table)
The PBR is made of three "main parts"
[/Listo]
Now, it depends WHAT you want to do with them, depending if you want to boot them on real hardware, or on a VM or if you want to simply peek inside them and copy from them some files.
If the first, a number of settings need to be changed - at least - in
Disk signature
MBR DATA
EPBR DATA (if extended)
BPB
(and if Windows NT in the registry)
So the image won't be "forensically sound" anymore.
If you want to boot it in a VM - set apart the modifications that the simple fact of bototng from one of them will make to the image - you can use an image file allright (image won't be "forensically sound" anymore).
If you want to simply peek inside it, you can use any of the various available drivers to mount the image "as is" or, in most cases, use 7-zip to browse inside it.(image can remain "forensically sound")
There is a third possibility, i.e. to recreate a partitioning scheme on the new disk able to "host" the various partitions/volumes from the two images and restore ONLY the volumes, the volumes will remain "forensically sound" but the "whole disk image" won't.
jaclaz
The empty drive is 1 TB and the 2 forensic images are less than 100 GB in size. I do not want to use another empty drive for the second image to be restored and I would like to restore both these forensic images into one empty drive.
Is there any way to do that?
,
You leave out a lot here. In particular, I think you leave out what constrainst you are working under.Because, as you state it, the question is trivial
Of course you can restore multiple images into one hard drive – e.g. just dd them in place. (They won't be true images – that would requiring the boot sector in sector 0 … but it would be as close as you can come.) But … you yourself have to keep track of everything, and ensure that when you access these images, you do not access anything but the sectors belonging to the image. And, on the assumption that the case(s) will end up in court, you will have to convince someone that you were able to do all this, without getting the two images mixed up.
Me, I'd not even try – too much of a bother.
It seems the OP wants to make two small 'clones' on one physical drive. He says he already has images but his post indicates he wants to setup two clones on one device. I don't follow what purpose this would serve.