July 15th, 2019, 10:07
July 15th, 2019, 10:18
July 15th, 2019, 14:06
July 16th, 2019, 5:33
Scorpion wrote:Hello,
I have to go to a far away private coustomer for a forensic job.
I have PC3000 Express but don't have the possibilty to take the system with me.
I am looking for a good cloning software so I will boot it up from a USB and clone the entire client drive to my new empty drive.
Any recomandations for good software?
Best Regards
July 16th, 2019, 6:31
July 16th, 2019, 9:05
July 17th, 2019, 6:18
July 17th, 2019, 9:00
July 17th, 2019, 10:27
pclab wrote:What about FTK imager?
July 17th, 2019, 13:23
posidon wrote:In order to use winhex or any windows based tool , hardware write blocker is a must so winhex will be of no use. If source hdd is directly connected to windows pc then some write operation will be performed and access date /stamps will be altered.
It must be a linux based live boot tool.
July 17th, 2019, 18:35
WinHex will also show the MD5 HASH after making the image which can also be compressed at the same time.
The challenge with software is the handling of bad sectors and write blocking of the source drive.
In order to use winhex or any windows based tool , hardware write blocker is a must so winhex will be of no use. If source hdd is directly connected to windows pc then some write operation will be performed and access date /stamps will be altered.
It must be a linux based live boot tool.
Allows to write-protect locally attached physical storage devices (including removable media, except optical media) with all their volumes everywhere in the operating system, in all applications, even at the sector level in WinHex itself, no matter which edit mode is active. This can be useful to protect original disks that need to be acquired or analyzed (but only after Windows has detected and accessed them) and your own disks that contain images, from accidental alteration, deletion, or data corruption. The effect will last until you remove the write protection again or unplug the devices or reboot your computer. To keep Windows from touching newly attached physical storage devices before you can write-protect them (i.e. to keep them in "offline" mode first), you would need to disable automatic mounting in Windows (and verify that this works). Turning on write-protection for an offline disk will automatically bring the disk online, at the same time while rendering it read-only. Careful, do not write-protect disks that your Windows system needs to write to for proper functioning!
July 17th, 2019, 19:08
pcimage wrote:http://www.sdcomputingservice.com/hddsuperclone
August 7th, 2019, 13:56
August 7th, 2019, 19:12
August 8th, 2019, 15:41
HaQue wrote:I would not want anybody performing forensic tasks for a job if you need to explain any of this stuff to. At the very least they should be accompanied by a professional. "someone on a forum told me to do this process" wont stand up in court
Powered by phpBB © phpBB Group.