Hi all,
I have a question, and would appreciate anyone's input.
I will be teaching a group of high school students the general approach to imaging a hard drive. As most (if any) of them do not have a working knowledge of Linux, and there is not enough time allowed to introduce them to Linux, I am looking for a do-able option in the Windows environment (just something that will give them that "I did it" feeling).
Specifically, does anyone have a 'preferred' physical setup (one that has worked well for them in the past) as well as a recommended tool? For the physical setup, I have been considering installing a second drive in a 'suspect' box on the secondary IDE, but, are there are other options that may be better?
And, if I were to use such a setup, should the target drive be the same disk geometry as the 'suspect' drive, or is that no longer an issue?
I have used SafeBack 1.0 in the past, but I would like to use a more recent tool. I do not have Encase. I am aware of FTK Imager, ByteBack, Acronis, & Ghost (with -id switch), but have never used any of them.
I am also aware that because I will be using Windows, it will require the use of a write blocker.
Regards,
Chris
have you looked at using the firebootcd. It allows for sterialzation, imaging hashing etc all from one platform. The commands are fairly easy to learn, I may even have a list of them here. Not sure on that. Additionally it is a free program downloadable off the net. Additionally, you can obtain free demo copies of both FTK and Encase. If you contact them you may be able to obtain numerous free copies. Both allow you to image and process a limited size disk, but all of the functions are available. And both run in a windows environment.
As to imaging a hard drive I understand what you mean by "hands on" and " I did it". However, to be honest after entering the intial commands, watching the image being created is really kind of boring. You don't say what course you are teaching. Perhaps a more interesting way would be to allow them to process a floppy that you have put some data on for them to find. Its quick and you get quick, viewable results. You may wish to use the fireboot cd, image a floppy then use Norton Disk editor or the free download of winhex to view the floppy etc. I think your students would find it interesting to look at a floppy in a normal directory view, then see with disk editor all the data that is there for the viewing if you know where to look. Where are you located?
What do you mean by image a hard drive? Get a forensic image of the hard drive? or Are you talking about drive to drive copy? I also want to make sure you you are not talking about decompressing a acquired image file to the hard disk.
Real scenario would be acquiring a forensic image of a hard drive or the suspect media like floppy usb etc. and then examining the image file with WinHex, FTK, EnCase or Paraben tool etc.
The floppy idea is good and will give you more time to discuss and work on the meat of the subject rather than watch the pot boil while you acquire the hard drive image. You can use a hard drive acquisition demonstration as a follow up. This will also eliminate the use of the write blocker.
To forensically acquire a floppy
*Make sure you write protect the floppy.
*Make sure write protection feature works for the floppy drive in the computer being used for the acquisition.
*You can use the free FTK imager to acquire the floppy.
*You can use the FTK imager itself to examine the floppy image or WinHex. I prefer WinHex.
If you have to use the hard drive, chooose the one with least capacity to demonstrate since it will take less time to get a forensic image.
*Connect the physically removed suspect drive from the system to a write blocker
*Acquire the image with your acquisition workstation via usb / firewire.
*FTK imager is free and works well.
*Use WinHex or free demo of FTK (has limitation of how many files can be loaded as evidence) to examine image file.
Thankyou for the replies; maybe I should clarify my situation, and explain a little better.
First, I have been practicing and teaching Comp Forensics at the college level for several years. I was asked to do a small workshop for some high school students to introduce them to the fascinating world of Computer Crime Investigation.
So, while I am very comfortable with doing forensics in the Linux environment, I have fallen behind on the Windows tools; but, I was asked to perform the workshop using Windows tools.
So, I was just looking for a few recommendations on the Windows imaging tools, and the physical setup that might work best with a particular tool (by physical, I mean IDE to IDE; IDE to external USB drive; maybe breaking the image up into CD-sized 'chunks', etc)
I have several older, small IDE drives that I was going to use for the imaging exercise (and I do mean a forensic image, not a non-forensic Ghost copy) The main purpose is to give the students the hands-on side of removing a drive from a PC (I find that even my college students are intimidated by this), setting it up for imaging, hashing the original and the copy, and viewing the image for forensic analysis (which is why I was wondering if the Windows tools required the drive geometry to be the same)
And, to answer your question, I'm in upstate NY
Thanks
Chris
I would think Encase would solve your problem. The reason I asked is I am from the Buffalo, NY are originally.
I have a free utility on my site that is an interface for DCFLDD , you could show them the command line and then the gui with it. also this helps too if the program has a budget. Its not as pretty as some but its free and images both logical and Physical drives in windows.
my site is
hope it helps
To expand on Jimmers last response…
I think EnCase would be your best option for a free tool that you can image with in Windows, create a hash value of the original and one of the final evidence. Your only problem comes when you are trying to show the students the tree structure of the drive which I'm not entirely sure is important to you.
EnCase "Aquisition" mode is free and can be used by anyone without a dongle. You simply need the installer which you could probably get from Guidance Software's technical services department.
In addition, you are teaching students on software that is by far the most widely used windows forensic application out there.
Whatever you do, test your "older" hard drives before your class. All these Forensic applications have a tendency of not working when you really need them too.
My 2 cents…
> …you are teaching students on software that is by far the most widely used windows forensic application out there.
IMHO, teaching EnCase for that reason is a mistake. Forensic analysis should be about using the right tool, not just about using EnCase. Yes, EnCase is the most popular…but it's that way for the same reasons that Gate's MS-DOS became the most popular OS at the time, over Kilhdall's CP/M.
Forensic examiners and students alike should know how things like file signatures work first, *then* should they decide to use that technique (or any other) learn how to do so in a particular application.
FTK Imager. Very good app and it's free.
I am surprised that no one mentioned Helix. Free and with the gui you do not have to know any Linux.
