tools for hard drive duplication

Viewing 5 reply threads
  • Author
    Posts
    • #3778
      jason.williams14
      Participant

      hello everyone.

      I am looking for some information and tools that will help with hard drive duplication for forensic work. This would be for Windows, Linux, Mac as well as UNIX.

      Is there one specific tool that can be used for all of these OS’s? Or is there one best suited for each O?

      I am familiar with Norton Ghost, but since the world of forensics in computer is very delicate and not tampering with the data is critical, I was looking for options and solutions for hard drive duplication.

      Anyone recommend any tools?

      Much obliged.

      J.

    • #24159
      TTewell
      Participant

      2 letters.  DD      ;D

    • #24160
      Ketchup
      Participant

      Yep, DD, DCFLDD is even  better.  I would look into the Raptor forensics boot disc, as well as Helix.  Raptor is much easier to use for one that doesn’t have Linux experience.    Helix is more powerful.

    • #24161
      Otter
      Participant

      @jason.williams14 wrote:

      hello everyone.

      I am looking for some information and tools that will help with hard drive duplication for forensic work. This would be for Windows, Linux, Mac as well as UNIX.

      Is there one specific tool that can be used for all of these OS’s? Or is there one best suited for each O?

      I am familiar with Norton Ghost, but since the world of forensics in computer is very delicate and not tampering with the data is critical, I was looking for options and solutions for hard drive duplication.

      Anyone recommend any tools?

      Much obliged.

      J.

      A book written by a buddy of mine may be something you’d enjoy:

      http://www.amazon.com/UNIX-Linux-Forensic-Analysis-Toolkit/dp/1597492698/ref=sr_1_1?ie=UTF8&s=books&qid=1241936083&sr=1-1

      It mentions ddfl-dd (dd that also cuts md5 on the fly),  EnCase’s LinEn, Access Data’s FTK Imager, and ProDiscover as options for imaging.  Encase forensic edition apparently remains the pro’s choice but does cost a lot more than “free.” 

      You may be interested in the Helix distro of Linux, but I think they may have gone non-free here very recently:
      http://distrowatch.com/?newsid=05102

      Whatever you use, what’s most important is to make certain that your image includes all slack space, and can be verified (via md5 or shasums) to be identical to the original disk, chain of custody maintained, preferably image taken with write wires cut, and all that good forensics guy doo dah stuff!

    • #24162
      jason.williams14
      Participant

      Thanks guys. I really appreciate it.

      Ya, I was thinking of DD with a combo of netcat. That would work.
      I will try the other one, dflcdd…seems cool.

      EnCase seems to be very popular product. I should look into it further.

      Thanks!

    • #24163
      Ketchup
      Participant

      There are very few people actually doing imaging with EnCase products, including Linen.  They are painfully slow.  The Raptor disc is able to create E01 images, much much faster than EnCase or Linen can.  We get about 2 GB/min on decent hardware.  EnCase is nowhere close to that.

      Of course, nothing beats EnCase for doing actual analysis.

Viewing 5 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?