|
Title: Forensic images of USB devices in Windows Post by: jimbob on January 02, 2007, 03:43:04 AM Hi,
I'm sure I could find lots of examples on the web, but how is it best to make a forensic image of a USB device e.g. thumb drive on windows? I rely on Linux of some variety to make forensic duplications of such devices but is it easy/possible to do this on windows? I'm sure that FTK and EnCase support this but are there any free/OS tools that will do the job? Jim Title: Re: Forensic images of USB devices in Windows Post by: pcsneaker on January 02, 2007, 05:35:42 AM No matter what tool you are using you need a hardware write blocker to be absolutely sure to get a forensically sound image when doing it in windows.
There is a registry key to prevent write access to USB devices but I would not rely on that... Title: Re: Forensic images of USB devices in Windows Post by: mn_kthompson on January 02, 2007, 08:40:19 AM You might want to glance over the instructions I posted in another thread about gathering a hard drive image. If you use that technique you should be able to gather and mount an image from a USB drive. The only difference will be the device file to use.
http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,937.msg2826/#msg2826 (http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,937.msg2826/#msg2826)
Powered by SMF 1.1.18 |
SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com |