This may seem simple to answer, maybe not. I was told to use an 80G HDD for my main "exam drive" the one containg forensic tools that is wiped after each case and retored via cloning from another HDD or image.
80G seems small, especially with the large HDD's available today. Do examiners use a large drive say 300G or do you match the HDD to the size of the suspect drive?
It would seem logical to match drive to suspect drive, mainly because a raw image takes up the exact MB of that particular drive without compression.
Any comments and thoughtsd are welcome
mark
TMD22
Just to verify, are you talking about the drive size in your 'examining' workstation or are you talking about the drive size in your image capturing hardware.
Thanks
Hi
My exam drive, the one forensic tools are on. The dual-boot drive (Win98&XP)
Thanks
TMD22,
I'm not sure why you were referring to the size of the suspect image, as it relates to the size of your forensic workstation hard drive. Your forensic workstation hard drive needs to hold your OS, and whatever tools you plan to use, it doesn't have anything to do with another drive (or RAID, or whatever you're using), used to hold a copy of the suspect's drive. You seemed to imply the two were related in your first post.
Sorry
let me clarify. I am talking about the image of the suspect drive, not a physical drive.
It seems a "raw image" takes up an awful lot of space when you image it to your exam drive. I use FTK and the "smart" image compresses it, hashes, and checksums all at once.
Another question is why use the "raw" mode, when you can do it faster and conserve space with a compressed forensic method such as the "Smart" choice in FTK?
Hope this clarifies my last post, my apology.
Mark
I'm still a little confused, but I'll try and help. Assume the following
Drive A Your system drive. The one with your OS installed.
Drive B Your storage drive. This is the one your image files are saved to.
Drive C Your source drive. This is the one you are paid to image.
My recommendations
Drive A You don't need much. 40gb is plenty. The smaller the better in your case since you seem to want to wipe it and restore it between each case. You don't store images to this drive anyway.
Drive B Get a few storage drives whenever you see a good deal. Don't waste your money getting the biggest now. Chances are when you actually need that much space they'll be a lot cheaper. Maybe a couple in the 160-250gb range. Make sure and get the 7200 rpm drives. I like Seagates, most people consider them among the more reliable.
Greg
Thanks you answered my question. I had planned on storing the image on another drive anyway and not on the drive with the OS & Forensic Tools.
One more question, do you save the image as a raw file, or compressed version I know Encase uses. Also do you save or hold the suspect image on say another drive or media (DVD, digital tape etc).
Thanks again
Mark
I primarily use Encase, and favor the .e01 image format. One reason I like it is that I can acquire it with no compression, therefore taking the least time. Then I can reacquire it over night with full compression (Encase allows this) thereby shrinking the storage space necessary. It also makes it much faster to archive to DVD's. In a recent case I went from 80 gb to 12. So you can see how I had a lot less DVD's to swap. Archival is a big issue, with many people preferring tape to optical and vice versa. It has been discussed on this forum at length so I wont go into it again.
