.

Forensic images of USB devices in Windows

<<

jimbob

Post Tue Jan 02, 2007 4:43 am

Forensic images of USB devices in Windows

Hi,
I'm sure I could find lots of examples on the web, but how is it best to make a forensic image of a USB device e.g. thumb drive on windows? I rely on Linux of some variety to make forensic duplications of such devices but is it easy/possible to do this on windows? I'm sure that FTK and EnCase support this but are there any free/OS tools that will do the job?

Jim
<<

pcsneaker

Jr. Member
Jr. Member

Posts: 73

Joined: Mon Nov 07, 2005 12:23 pm

Post Tue Jan 02, 2007 6:35 am

Re: Forensic images of USB devices in Windows

No matter what tool you are using you need a hardware write blocker to be absolutely sure to get a forensically sound image when doing it in windows.

There is a registry key to prevent write access to USB devices but I would not rely on that...
MCSA:Security (W2k, W2k3)
MCSE:Security (W2k, W2k3)
CPTS, Network+
<<

mn_kthompson

User avatar

Jr. Member
Jr. Member

Posts: 58

Joined: Tue Sep 19, 2006 1:59 pm

Location: Mankato, MN

Post Tue Jan 02, 2007 9:40 am

Re: Forensic images of USB devices in Windows

You might want to glance over the instructions I posted in another thread about gathering a hard drive image.  If you use that technique you should be able to gather and mount an image from a USB drive.  The only difference will be the device file to use.
http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,937.msg2826/#msg2826

Return to Forensics

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software