Join Us!

Imaging a drive usi...
 
Notifications
Clear all

Imaging a drive using Windows  

  RSS
packys
(@packys)
Junior Member

Hi all,

I have a question, and would appreciate anyone's input.

I will be teaching a group of high school students the general approach to imaging a hard drive. As most (if any) of them do not have a working knowledge of Linux, and there is not enough time allowed to introduce them to Linux, I am looking for a do-able option in the Windows environment (just something that will give them that "I did it" feeling).

Specifically, does anyone have a 'preferred' physical setup (one that has worked well for them in the past) as well as a recommended tool? For the physical setup, I have been considering installing a second drive in a 'suspect' box on the secondary IDE, but, are there are other options that may be better?

And, if I were to use such a setup, should the target drive be the same disk geometry as the 'suspect' drive, or is that no longer an issue?
I have used SafeBack 1.0 in the past, but I would like to use a more recent tool. I do not have Encase. I am aware of FTK Imager, ByteBack, Acronis, & Ghost (with -id switch), but have never used any of them.
I am also aware that because I will be using Windows, it will require the use of a write blocker.

Regards,
Chris

Quote
Posted : 07/01/2006 2:47 am
Jimmer
(@jimmer)
Junior Member

have you looked at using the firebootcd. It allows for sterialzation, imaging hashing etc all from one platform. The commands are fairly easy to learn, I may even have a list of them here. Not sure on that. Additionally it is a free program downloadable off the net. Additionally, you can obtain free demo copies of both FTK and Encase. If you contact them you may be able to obtain numerous free copies. Both allow you to image and process a limited size disk, but all of the functions are available. And both run in a windows environment.

As to imaging a hard drive I understand what you mean by "hands on" and " I did it". However, to be honest after entering the intial commands, watching the image being created is really kind of boring. You don't say what course you are teaching. Perhaps a more interesting way would be to allow them to process a floppy that you have put some data on for them to find. Its quick and you get quick, viewable results. You may wish to use the fireboot cd, image a floppy then use Norton Disk editor or the free download of winhex to view the floppy etc. I think your students would find it interesting to look at a floppy in a normal directory view, then see with disk editor all the data that is there for the viewing if you know where to look. Where are you located?

ReplyQuote
Posted : 07/01/2006 8:52 am
arashiryu
(@arashiryu)
Active Member

What do you mean by image a hard drive? Get a forensic image of the hard drive? or Are you talking about drive to drive copy? I also want to make sure you you are not talking about decompressing a acquired image file to the hard disk.

Real scenario would be acquiring a forensic image of a hard drive or the suspect media like floppy usb etc. and then examining the image file with WinHex, FTK, EnCase or Paraben tool etc.

The floppy idea is good and will give you more time to discuss and work on the meat of the subject rather than watch the pot boil while you acquire the hard drive image. You can use a hard drive acquisition demonstration as a follow up. This will also eliminate the use of the write blocker.

To forensically acquire a floppy
*Make sure you write protect the floppy.
*Make sure write protection feature works for the floppy drive in the computer being used for the acquisition.
*You can use the free FTK imager to acquire the floppy.
*You can use the FTK imager itself to examine the floppy image or WinHex. I prefer WinHex.

If you have to use the hard drive, chooose the one with least capacity to demonstrate since it will take less time to get a forensic image.
*Connect the physically removed suspect drive from the system to a write blocker
*Acquire the image with your acquisition workstation via usb / firewire.
*FTK imager is free and works well.
*Use WinHex or free demo of FTK (has limitation of how many files can be loaded as evidence) to examine image file.

ReplyQuote
Posted : 07/01/2006 10:20 am
packys
(@packys)
Junior Member

Thankyou for the replies; maybe I should clarify my situation, and explain a little better.
First, I have been practicing and teaching Comp Forensics at the college level for several years. I was asked to do a small workshop for some high school students to introduce them to the fascinating world of Computer Crime Investigation.
So, while I am very comfortable with doing forensics in the Linux environment, I have fallen behind on the Windows tools; but, I was asked to perform the workshop using Windows tools.
So, I was just looking for a few recommendations on the Windows imaging tools, and the physical setup that might work best with a particular tool (by physical, I mean IDE to IDE; IDE to external USB drive; maybe breaking the image up into CD-sized 'chunks', etc)
I have several older, small IDE drives that I was going to use for the imaging exercise (and I do mean a forensic image, not a non-forensic Ghost copy) The main purpose is to give the students the hands-on side of removing a drive from a PC (I find that even my college students are intimidated by this), setting it up for imaging, hashing the original and the copy, and viewing the image for forensic analysis (which is why I was wondering if the Windows tools required the drive geometry to be the same)
And, to answer your question, I'm in upstate NY
Thanks
Chris

ReplyQuote
Posted : 09/01/2006 12:36 am
Jimmer
(@jimmer)
Junior Member

I would think Encase would solve your problem. The reason I asked is I am from the Buffalo, NY are originally.

ReplyQuote
Posted : 09/01/2006 3:02 am
xaberx
(@xaberx)
Active Member

I have a free utility on my site that is an interface for DCFLDD , you could show them the command line and then the gui with it. also this helps too if the program has a budget. Its not as pretty as some but its free and images both logical and Physical drives in windows.

my site is
www.xabersoft.com

hope it helps

ReplyQuote
Posted : 21/06/2008 11:29 am
Chitapett
(@chitapett)
Member

To expand on Jimmers last response…

I think EnCase would be your best option for a free tool that you can image with in Windows, create a hash value of the original and one of the final evidence. Your only problem comes when you are trying to show the students the tree structure of the drive which I'm not entirely sure is important to you.

EnCase "Aquisition" mode is free and can be used by anyone without a dongle. You simply need the installer which you could probably get from Guidance Software's technical services department.

In addition, you are teaching students on software that is by far the most widely used windows forensic application out there.

Whatever you do, test your "older" hard drives before your class. All these Forensic applications have a tendency of not working when you really need them too.

My 2 cents…

ReplyQuote
Posted : 05/07/2008 12:41 pm
keydet89
(@keydet89)
Community Legend

> …you are teaching students on software that is by far the most widely used windows forensic application out there.

IMHO, teaching EnCase for that reason is a mistake. Forensic analysis should be about using the right tool, not just about using EnCase. Yes, EnCase is the most popular…but it's that way for the same reasons that Gate's MS-DOS became the most popular OS at the time, over Kilhdall's CP/M.

Forensic examiners and students alike should know how things like file signatures work first, *then* should they decide to use that technique (or any other) learn how to do so in a particular application.

ReplyQuote
Posted : 05/07/2008 4:33 pm
Jonathan
(@jonathan)
Senior Member

FTK Imager. Very good app and it's free.

ReplyQuote
Posted : 05/07/2008 5:04 pm
packman
(@packman)
New Member

I am surprised that no one mentioned Helix. Free and with the gui you do not have to know any Linux.

ReplyQuote
Posted : 15/07/2008 7:37 am
jeffcaplan
(@jeffcaplan)
Member

> …you are teaching students on software that is by far the most widely used windows forensic application out there.

IMHO, teaching EnCase for that reason is a mistake. Forensic analysis should be about using the right tool, not just about using EnCase. Yes, EnCase is the most popular…but it's that way for the same reasons that Gate's MS-DOS became the most popular OS at the time, over Kilhdall's CP/M.

Forensic examiners and students alike should know how things like file signatures work first, *then* should they decide to use that technique (or any other) learn how to do so in a particular application.

While I agree with you that knowledge of the process itself is the most important thing if one is required to profer expert witness testimony, who is to say that the process cannot be taught along with the tool most suited for the job? And I do believe that EnCase is the one most suited tool for the job of providing digital forensic analysis (if I had to pick just one). I don't consider myself a GSI fanboi, but when it comes to digital forensics, EnCase is the defacto standard (for a reason), and the fact that it's the standard does make it important to teach when you consider the context of why that's important to the field.

Everything about digital forensics is done so that information obtained can be offered as evidence in court. Without that point in mind, all of this could be described as glorified data recovery. The fact that there are legal standards for what is admissible in court and the fact that EnCase has been challeneged and accepted more than any other digital forensics tool makes it a perfect reason to teach to newcomer's to the field.

To quote from EnCase's legal journal

The final prong — whether a process enjoys “general acceptance” within the
“relevant scientific community” — is a particularly important factor strongly considered
by the courts in validating scientific tools and processes. “`[A] known technique that has
been able to attract only minimal support within the community,' … may properly be
viewed with skepticism."66 EnCase software is without question the most widely used
computer forensic process in the field. Thousands of law enforcement agencies and
companies worldwide employ EnCase software for their computer investigations. In
addition, EnCase software has over twenty thousand users, and Guidance Software
trains over four thousand students annually in the use of EnCase software. The
widespread general acceptance of a process is often considered to be the most
important prong in a Daubert/Frye analysis. In addition, even outside the litigation
context, there are practical considerations if it should become necessary to replace an
expert, his or her use of standard software will make the transition to a replacement
expert much easier.

Knowing what a file signature is and it's releavance to forensics and why it's an important topic to know and how to make use of that knowledge are all things which can easily be taught using EnCase…all you really need is a hex viewer, the ability to highlight things and a good teacher.

Having said all that, I think the OP's best bet is to use FTK Imager. It's Windows-based, it's free, it can create images in multiple formats, it provides a hash value of the acquired image and it has the ability to read images; this should all meet his criteria. Using EnCase w/o a dongle just to create an image is pretty anti-climatic.

Jeff

ReplyQuote
Posted : 15/07/2008 12:38 pm
jeffcaplan
(@jeffcaplan)
Member

One additional note to the OP which he should be aware of (I hope) - If you're using Windows as opposed to Linux to image a drive, you will need to use a hardare write-blocker (in keeping with the true spirirt of forensics…), as Windows does not have the same software write-block capabilities of Linux, with the exception of the reghack for external USB devices. So making for the exception of not having a hardware write-block device handy for the IDE drives, you could hook up the internal IDE drives to an external USB enclosure and make use of the reghack to ensure that the device and thus the drive are protected from any modification.

Otherwise, you'll need to use a bootdisk to image in Linux or DOS.

Jeff

ReplyQuote
Posted : 15/07/2008 12:48 pm
azrael
(@azrael)
Senior Member

Have a look at http//www.hackerhighschool.org/

There are lessons on both Linux and Forensics - both are light in content ( for example - there is no discussion of imaging ! )- as they aren't designed to teach practitioners, rather to slightly educate the yoof of today, in 30 mins in a classroom - but may be a good place to start - as they are also targeted at approximately the correct age group for what you are looking to do …

ReplyQuote
Posted : 15/07/2008 8:30 pm
bshavers
(@bshavers)
Active Member

There aren't any exciting imaging tools. Every GUI is point and click ("select source", "select destination" and "image it"). Not much more than that. For high school kids, you probably have an easier time showing Wargames than imaging.

But at least the point of 'do no harm' to the original evidence being one the considerations and methods to do that would be good. For demonstration purposes and time considerations, you could always have the kids image a floppy or CD, or even image a small USB drive, all directly to your host machine in a few minutes. Same concept really, but better than watching the paint dry as a hard drive is imaging.

ReplyQuote
Posted : 16/07/2008 3:51 am
farmerdude
(@farmerdude)
Active Member

With respect to the post about using the GUI and you don't have to know any Linux I respectfully disagree. You _do_ need (or you should) to know Linux if you're going to use any Linux application proficiently.

For example, let's say you use the GUI app referenced and you don't know Linux;
- How will you identify the target and destination media?
- How will you troubleshoot why a device is not recognized? (Or, perhaps it _is_ recognized by the Linux kernel, only incorrectly or in a manner that you do not recognize)
- How will you articulate what you did and why? (IE, explain what the tool did and how, and why you selected that application (tool))
- Perhaps there is a more efficient way to do what it is you want to do. But how would you know this if you don't know and understand the operating system environment you are working within?

Just some random brain droppings …

farmerdude

http//www.forensicbootcd.com

http//www.onlineforensictraining.com

ReplyQuote
Posted : 18/07/2008 6:20 pm
Share: