Imaging / Disk copy...
 
Notifications
Clear all

Imaging / Disk copying Methodology

10 Posts
7 Users
0 Likes
523 Views
l600dan
(@l600dan)
Posts: 12
Active Member
Topic starter
 

Sorry if these questions sound like they are coming from a simpleton…it's really not that far from the truth 😉

Can anyone recommend a tried and tested method (hardware / software / bespoke products) of aquiring forensic images for analysis in Encase V4 that will allow the following

Fast, reliable copying of hard disks - mainly IDE
2 copies to be performed simultaneously

Also, what are the known implications of taking a full forensic bit-stream copy of a disk as opposed to an image.

Any help or advice would be appreciated

 
Posted : 16/09/2005 6:04 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Can anyone recommend a tried and tested method (hardware / software / bespoke products) of aquiring forensic images for analysis in Encase V4 that will allow the following

Fast, reliable copying of hard disks - mainly IDE

Sure. Linux or Windows, + dd/dd.exe/dcfldd (pick one). EnCase can be used, as well. ProDiscover from TechPathways…use the dd option. The list goes on…

2 copies to be performed simultaneously

To be honest, I haven't run across this one, or the need, so I'll be interested to see…

Also, what are the known implications of taking a full forensic bit-stream copy of a disk as opposed to an image.

An image *IS* a "full forensic bitstream copy of a disk".

Hope that helps.

H. Carvey
"Windows Forensics and Incident Recovery"
http//www.windows-ir.com
http//windowsir.blogspot.com

 
Posted : 16/09/2005 6:38 pm
 Andy
(@andy)
Posts: 357
Reputable Member
 

2 copies to be performed simultaneously…..

FTK imager (which is free to download and use), can perform this function. It can also image to EnCase .E01, Linux DD, and SMART files all at the same time.

Andy

 
Posted : 17/09/2005 9:26 pm
l600dan
(@l600dan)
Posts: 12
Active Member
Topic starter
 

Many thanks for these suggestions, they are most helpful. I will evaluate these suggestions and keep you updated on my progress (if of course you're interested!!). If anyone else has any suggestions, please do let me know. Thanks once again.

 
Posted : 19/09/2005 1:43 pm
sachin
(@sachin)
Posts: 28
Eminent Member
 

For fast imaging of IDE HD you can use hardware tool "Forensic MD5" the image file thus created supports most of analysis tool such as EnCasev4, FTK etc..

 
Posted : 20/09/2005 11:44 am
l600dan
(@l600dan)
Posts: 12
Active Member
Topic starter
 

Thanks again to all those wonderful people who have contributed to this thread.

Am swaying towards using either a Linux based solution or one of the hardware imagers - such as the Forensic MD5.

Does anyone know if you can implement lossless compression with DD images???

Also, is it true to say that hardware solutions such as the Forensic MD5 and the Logicube Talon are far quicker than using a PC (running either Windows or Linux) to image hard disks?

 
Posted : 22/09/2005 2:33 pm
Jamie
(@jamie)
Posts: 1288
Moderator
 

Does anyone know if you can implement lossless compression with DD images???

Sure, gzip etc.

Jamie

 
Posted : 22/09/2005 3:52 pm
(@samirdatt)
Posts: 24
Eminent Member
 

I know that hardware based solutions are the way to go.

The Logicube MD5 works at speeds greater that 3 GB/min for 7200 rpm drives ( I have tested it) and I read that the Talon works at speeds of 4 GB/min.

So you are looking at imaging a 40 Gig drive in under 20 min (including setup etc.)

Compare that with an Encase or FTK imager acquisition and you will find yourself saving serious amounts of time.

I know that the Logicueb MD5 allows you to create DD images and these can be accessed by both Encase and FTK.

I had read about a product somewhere which produced two images at the same time - let me see if I can find it for you.

Cheers
Samir Datt

 
Posted : 31/10/2005 2:35 pm
nickfx
(@nickfx)
Posts: 131
Estimable Member
 

Take a look at the SMART forensic toolkit at http//www.asrdata2.com/, you can boot the target system to the Smart linux disk and image and clone a drive at the same time. Costs about $1000 for LE I think and around double that for NonLE. I've looked at the demo and my local LE use it and its superb. Its in the budget for next year.

Re the hardware copiers, they can be quick under the 'write' conditions (excuse the pun) but suppliers have been frank with me about reliability and variety of performance.

Nick

 
Posted : 31/10/2005 11:59 pm
(@samirdatt)
Posts: 24
Eminent Member
 

Hardware Solution for imaging to 2 drives simultaneously is the Talon Raid attachment for the Logicube Talon.

The hardware bitstreaming solutions are good for cases without bad sectors.

In situations with bad sectors - things become tricky - especially when the disk is failing and stops working every few minutes due to heat generation. For this kind of a situation you need reverse cloning software which can start and stop at designated sectors, work in segments and maintain md5 hashes for each segments.

HTH
Samir Datt

 
Posted : 01/11/2005 1:06 pm
Share: