Home
Join
check
  • I'm not a forensic specialist, but I did spend some time researching the field because I also thought it would be interesting to get into. Personally, I would removed the drive and use a forensic write block to ensure that absolutely nothing can be written to the drive - and more importantly, that no one else can claim you did so.

    Removing the drive should not compromise the forensic aspect, as long as you document the procedure. When did you get the computer in question and from whom. Document the computer so its identifiable without question. Document the make, model and serial number of the drive you are duplicating. Document the duplication process, what equipment and software you used.

    You might want to spend some time reading this site, which includes links to some write blockers which are less expensive than forensic duplicators. http://www.forensicswiki.org/wiki/Main_Page

    Was this post helpful? thumb_up thumb_down
  • View Best Answer in replies below

    15 Replies

    • Just to confirm you are looking for a product that takes images of existing configuration, not looking for something that re images computers?

      Was this post helpful? thumb_up thumb_down
    • What exactly are you trying to do?

      Was this post helpful? thumb_up thumb_down
    • I need to create forensic images for a law firm. The firm sometime has to investigate the content of sized computers and use it to provide proofs at the court and so on. So I assume the systems must be frozen in time somehow and data be accessible. I don't know what else I can say since the request from my prospect was that vague. I'm excited about the potential contract but I haven't discussed about the details yet. You tell me what can be done. :-)

      The one thing I understood is that it's not about re-imaging the law firm employee computers. It's on court case material I'd have to work.

      Was this post helpful? thumb_up thumb_down
    • Geo,

      ShadowProtect will do forensic images for a law firm.  You could even use the ShadowProtect IT Edition (a USB flash drive) which can take full backups without installing any software.  The IT Edition can be purchased on a subscription basis (e.g. buy use for 2 weeks, 1 month, 1 year, etc) and you can backup an unlimited number of systems with just one IT Edition tool.  We support the latest UEFI/GPT hardware standards and Windows OS and you can restore backup images to new physical or virtual systems or simply recover specific files/folders.

      If you have more questions, let me know or check out our website.  Acronis (your favorite) is one of our competitors.

      Cheers!

      Was this post helpful? thumb_up thumb_down
    • Broswine wrote:

      I need to create forensic images for a law firm. The firm sometime has to investigate the content of sized computers and use it to provide proofs at the court and so on. So I assume the systems must be frozen in time somehow and data be accessible. I don't know what else I can say since the request from my prospect was that vague. I'm excited about the potential contract but I haven't discussed about the details yet. You tell me what can be done. :-)

      The one thing I understood is that it's not about re-imaging the law firm employee computers. It's on court case material I'd have to work.

      http://www.microsoft.com/en-us/download/details.aspx?id=24373

      Was this post helpful? thumb_up thumb_down
    • What I do is create a .vhd using Windows Backup (assuming W7 or later), then open said vhd files in Hyper-V.

       

       

      Was this post helpful? thumb_up thumb_down
    • Might want to look at hardware options too (http://www.wiebetech.com/ as an example).

      Spice (1) flagReport
      Was this post helpful? thumb_up thumb_down
    • ^^ +100 for Weibetech.  Forensic imaging with raw bitstream is quite specialized.  Need the write-blocked docks for proper chain of custody handling—

      Was this post helpful? thumb_up thumb_down
    • Just a word of caution... forensic work is more about procedure than it is the technical issues.

      The end product is evidence for use in a court room so typically people that succeed in this field come from law enforcement or legal backgrounds where they are already used to maintaining the chain of custody, and documenting every little step, and know how to give effective courtroom testimony.

      Computer techs tend to be too focused on getting to the data, getting the job done expediently, and in the process fail to maintain the level of documentation required.

      I'm not saying to ignore the opportunity, just that there is more to it than just focusing on what tools you need to do the job.

       

      Spice (2) flagReport
      Was this post helpful? thumb_up thumb_down
    • Image the drive separately from the operating system drive you are investigating.

      This means either booting with a CD or USB that has imaging software on it, or taking the hard drive out of the case and using a USB adapter to plug it into a different system. The preference should be given to booting with a CD or USB to the system you are investigating. You can go the specialty route if your budget allows it ... forensic software/hardware can cost 10's of thousands but in my limited experience isn't worth it except in very high profile cases.

      You do not want to write anything onto the drive you are investigating, that is why booting it from a different device is essential. If you boot using the operating system of the device you are investigating you will overwrite something.

      You want to image by blocks, not by files. Most imaging software allows this but it is not usually the default setting. Imaging by blocks takes longer.

      For investigation reasons it is best to put the image on a new hard drive, one that hasn't been used for anything else. This gives you a little more credibility in the court room.

      Use a standard imaging software because that will also give your testimony more standing in court, or in a written report.

      As said above, mount the image in a vm if you want to watch it in operation. Otherwise most imaging software allows you to mount the image as a hard drive so you can see the files (just can't boot that way).

      Was this post helpful? thumb_up thumb_down
    • Macrium Reflect should allow true bit-for-bit imaging.  It's not the default, but it can easily be changed.  I already use Macrium for all disk imaging for all my clients and my personal equipment.  Great piece of software.

      I would put any disks you are imaging in a dual USB 3.0 external dock and use Macrium to clone that image(s) to another new hard drive.

      Dock:

      http://www.newegg.com/Product/Product.aspx?Item=N82E16817821015

      Macrium:

       

      attach_file Attachment macrium_compressionJPG.JPG 182 KB
      Was this post helpful? thumb_up thumb_down
    • Thank you. I value all your replies.

      However, I'm really nervous about booting the computer, loading the OS and causing modification to the system. A missing hard drive driver or pressing the wrong F-key could cause this.

      1) To be on the safe side, is it best to remove the hard drive prior to image it? EDIT: I'm assuming missing the right F-key would make the system write on start-up files thus compromise forensics 

      2) Would removing the hard drive not compromise the forensic aspect?

      Was this post helpful? thumb_up thumb_down
    • I'm not a forensic specialist, but I did spend some time researching the field because I also thought it would be interesting to get into. Personally, I would removed the drive and use a forensic write block to ensure that absolutely nothing can be written to the drive - and more importantly, that no one else can claim you did so.

      Removing the drive should not compromise the forensic aspect, as long as you document the procedure. When did you get the computer in question and from whom. Document the computer so its identifiable without question. Document the make, model and serial number of the drive you are duplicating. Document the duplication process, what equipment and software you used.

      You might want to spend some time reading this site, which includes links to some write blockers which are less expensive than forensic duplicators. http://www.forensicswiki.org/wiki/Main_Page

      Was this post helpful? thumb_up thumb_down
    • I have used Shadow protect and Drive Cloner rx for situation that was similar to yours and it worked pretty well for me.

      Spice (1) flagReport
      Was this post helpful? thumb_up thumb_down
    • Golub is hitting all the right points.

      You do not want to install ANYTHING on a drive you need to capture. NOTHING can be altered on a drive that has been seized. If you are getting a live copy from a person that has agreed to give a copy, you cannot alter it in any way after the point that you capture it and it should be captured in a way that leaves anything on the user's computer. it all has to be very sanitary and sterile as you are dealing with court's evidence.

      Was this post helpful? thumb_up thumb_down

    Read these next...

    • Snap! Win 8.1, hybrid IT models, robo-fish, Jovian Vortex Hunters, & more

      Snap! Win 8.1, hybrid IT models, robo-fish, Jovian Vortex Hunters, & more

      Spiceworks Originals

      Your daily dose of tech news, in brief. Welcome to Friday! It has been a big week here as we launched Spiceworks News & Insights a few days ago. Do you know who else had their sights set high? Kenneth Arnold. On June 24, 1947, civilian pilot Ken...

    • Chrome is a memory hog?

      Chrome is a memory hog?

      Windows

      I have a win 10 pro machine with 21H2.Running chrome  102.0.5005.115.  I will open a bunch of tabs during the day (right now, 49).  And including other things that are running, there's 80% of the 12GB of RAM in the box.I've noticed that when I go into ...

    • When you are just starting out

      When you are just starting out

      IT & Tech Careers

      HI Spiceworld,I was reading some discussions around the community and I see that here it’s like we’re all part of a family, so I venture to open this discussion, hoping that you can help me/understand me or at least bring your experiences. I am a c...

    • Spark! Pro Series - June 24th 2022

      Spark! Pro Series - June 24th 2022

      Water Cooler

      Compulsion: 1: a very strong urge to do something He felt a compulsion to say something. 2: a force that makes someone do something She was acting under compulsion. 3: an act or the state of forcing an action They ...

    • Sublets and the Network

      Sublets and the Network

      Networking

      I have a situation where one of the offices is looking to sublet for 1 day a week. They want one port to put their firewall/router on and drive their network from there. My first notion is to say no and require them to pull in their own connection. I want...