hello everyone.
I am looking for some information and tools that will help with hard drive duplication for forensic work. This would be for Windows, Linux, Mac as well as UNIX.
Is there one specific tool that can be used for all of these OS's? Or is there one best suited for each O?
I am familiar with Norton Ghost, but since the world of forensics in computer is very delicate and not tampering with the data is critical, I was looking for options and solutions for hard drive duplication.
Anyone recommend any tools?
Much obliged.
J.
A book written by a buddy of mine may be something you'd enjoy:
http://www.amazon.com/UNIX-Linux-Forensic-Analysis-Toolkit/dp/1597492698/ref=sr_1_1?ie=UTF8&s=books&qid=1241936083&sr=1-1It mentions ddfl-dd (dd that also cuts md5 on the fly), EnCase's LinEn, Access Data's FTK Imager, and ProDiscover as options for imaging. Encase forensic edition apparently remains the pro's choice but does cost a lot more than "free."
You may be interested in the Helix distro of Linux, but I think they may have gone non-free here very recently:
http://distrowatch.com/?newsid=05102Whatever you use, what's most important is to make certain that your image includes all slack space, and can be verified (via md5 or shasums) to be identical to the original disk, chain of custody maintained, preferably image taken with write wires cut, and all that good forensics guy doo dah stuff!
General Certification : CPT Practical Submission
