.

tools for hard drive duplication

<<

jason.williams14

Newbie
Newbie

Posts: 2

Joined: Wed May 06, 2009 9:47 pm

Post Sat May 09, 2009 1:31 pm

tools for hard drive duplication

hello everyone.

I am looking for some information and tools that will help with hard drive duplication for forensic work. This would be for Windows, Linux, Mac as well as UNIX.

Is there one specific tool that can be used for all of these OS's? Or is there one best suited for each O?

I am familiar with Norton Ghost, but since the world of forensics in computer is very delicate and not tampering with the data is critical, I was looking for options and solutions for hard drive duplication.

Anyone recommend any tools?

Much obliged.

J.
<<

TTewell

Newbie
Newbie

Posts: 21

Joined: Mon Apr 20, 2009 7:09 pm

Post Sat May 09, 2009 4:03 pm

Re: tools for hard drive duplication

2 letters.  DD      ;D
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sat May 09, 2009 4:46 pm

Re: tools for hard drive duplication

Yep, DD, DCFLDD is even  better.  I would look into the Raptor forensics boot disc, as well as Helix.  Raptor is much easier to use for one that doesn't have Linux experience.    Helix is more powerful.
~~~~~~~~~~~~~~
Ketchup
<<

Otter

Newbie
Newbie

Posts: 41

Joined: Tue Jul 03, 2007 1:03 pm

Post Sun May 10, 2009 1:27 am

Re: tools for hard drive duplication

jason.williams14 wrote:hello everyone.

I am looking for some information and tools that will help with hard drive duplication for forensic work. This would be for Windows, Linux, Mac as well as UNIX.

Is there one specific tool that can be used for all of these OS's? Or is there one best suited for each O?

I am familiar with Norton Ghost, but since the world of forensics in computer is very delicate and not tampering with the data is critical, I was looking for options and solutions for hard drive duplication.

Anyone recommend any tools?

Much obliged.

J.


A book written by a buddy of mine may be something you'd enjoy:

http://www.amazon.com/UNIX-Linux-Forens ... 083&sr=1-1

It mentions ddfl-dd (dd that also cuts md5 on the fly),  EnCase's LinEn, Access Data's FTK Imager, and ProDiscover as options for imaging.  Encase forensic edition apparently remains the pro's choice but does cost a lot more than "free." 

You may be interested in the Helix distro of Linux, but I think they may have gone non-free here very recently:
http://distrowatch.com/?newsid=05102

Whatever you use, what's most important is to make certain that your image includes all slack space, and can be verified (via md5 or shasums) to be identical to the original disk, chain of custody maintained, preferably image taken with write wires cut, and all that good forensics guy doo dah stuff!
<<

jason.williams14

Newbie
Newbie

Posts: 2

Joined: Wed May 06, 2009 9:47 pm

Post Sun May 10, 2009 4:26 pm

Re: tools for hard drive duplication

Thanks guys. I really appreciate it.

Ya, I was thinking of DD with a combo of netcat. That would work.
I will try the other one, dflcdd...seems cool.

EnCase seems to be very popular product. I should look into it further.

Thanks!
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sun May 10, 2009 4:29 pm

Re: tools for hard drive duplication

There are very few people actually doing imaging with EnCase products, including Linen.  They are painfully slow.  The Raptor disc is able to create E01 images, much much faster than EnCase or Linen can.  We get about 2 GB/min on decent hardware.  EnCase is nowhere close to that.

Of course, nothing beats EnCase for doing actual analysis.
~~~~~~~~~~~~~~
Ketchup

Return to Forensics

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software