Looking for Cloning software

[Scorpion]

Hello,

I have to go to a far away private coustomer for a forensic job.
I have PC3000 Express but don't have the possibilty to take the system with me.

I am looking for a good cloning software so I will boot it up from a USB and clone the entire client drive to my new empty drive.

Any recomandations for good software?

Best Regards

[pcimage]

http://www.sdcomputingservice.com/hddsuperclone

[HddDonorMarket]

Smallest and easy one .(Only 288kB) Tested. Mostly working nice.
I have cloned disk when windows working on it also.
A Hirens 15.2 CD program

CopyWipeW.7z

(120.93 KiB) Downloaded 454 times

official site:
https://www.terabyteunlimited.com/copywipe.php

[einstein9]

Hello,

I have to go to a far away private coustomer for a forensic job.
I have PC3000 Express but don't have the possibilty to take the system with me.

I am looking for a good cloning software so I will boot it up from a USB and clone the entire client drive to my new empty drive.

Any recomandations for good software?

Best Regards

I think moving/taking your DR/forensic lab with you is a BAD idea
its always easier to get it to your Lab where you have everything there instead of going there and forgetting something and going back and blah blah....

its just my opinion of how we do it here..

[northwind]

https://www.acelaboratory.com/pc3000portable.php

[lcoughey]

I'm with @einstein9 in regards to it always being better to do at your lab. But, sometimes forensic acquisitions require on site service. If you want to go with software, you might want to use one of the imaging programs associated with forensic tools. Most of them allow you to use their software to make a forensic image without having a license. WinHex will also show the MD5 HASH after making the image which can also be compressed at the same time. The challenge with software is the handling of bad sectors and write blocking of the source drive.

That said, it is always nice to have a hardware imager to simplify things. On the cheap side, you could just get a StarTech SATDUP11 or a RapidSpar if you want to be able to handle bad sectors and any possible drive instabilities.

[posidon]

In order to use winhex or any windows based tool , hardware write blocker is a must so winhex will be of no use. If source hdd is directly connected to windows pc then some write operation will be performed and access date /stamps will be altered.
It must be a linux based live boot tool.

[pclab]

What about FTK imager?

[ddrecovery]

What about FTK imager?

I agree. We have used FTK (with write-blocker) in Windows on numerous occasions and it works well.

[lcoughey]

In order to use winhex or any windows based tool , hardware write blocker is a must so winhex will be of no use. If source hdd is directly connected to windows pc then some write operation will be performed and access date /stamps will be altered.
It must be a linux based live boot tool.

Linux may also write to disk too as most modern distributions will attempt to mount connected drives. I don't recommend any software solution without a write blocker.

[abolibibelot]

WinHex will also show the MD5 HASH after making the image which can also be compressed at the same time.

I've read that using NTFS compression or NTFS sparse feature on large files could cause issues. Indeed I've had issues trying to compress large files (more than 20-30GB approximately) from Windows Explorer, or create large volume images with WinHex using the NTFS compression or sparse feature. But I've created huge sparse images with ddrescue (-S switch) on NTFS partitions with no problem (neither during the creation nor afterwards when accessing such images). It seems to negatively affect the performance though : recently for instance, when creating a sparse image from a healthy 4TB HDD, containing about 500GB worth of data (for this recovery case), to a NTFS partition on a 2TB HDD, the average rate went from 60-90MB/s at the begining down to about 30MB/s when actually copying data, and then up to about 120MB/s when reading empty areas.
I had asked about this on SuperUser, but didn't get much conclusive insight.
What is your experience on that matter ?

The challenge with software is the handling of bad sectors and write blocking of the source drive.

In order to use winhex or any windows based tool , hardware write blocker is a must so winhex will be of no use. If source hdd is directly connected to windows pc then some write operation will be performed and access date /stamps will be altered.
It must be a linux based live boot tool.

As some have mentioned in former threads on this forum, deactivating the MBR by replacing the last two bytes by whatever value, like “FF FF” instead of “55 AA”, effectively prevents the system from attempting to mount the partition(s) and potentially alter them. But if done from Windows it might be too late, as it mounts whatever is mountable right away, so indeed it should be done from a Linux system. But, although it should work, it might not be safe enough for a real “forensic” job – especially if the very reason why you need to go to that remote location is because the case is particularly sensitive.
Also worth noting : WinHex 19+ has a “OS-wide write protection” feature, which I haven't tested yet ; it should prevent from tinkering with the MBR, but likewise, it only works after the drive has been analyzed by Windows, which kinda defeats the purpose. From the integrated help :

Allows to write-protect locally attached physical storage devices (including removable media, except optical media) with all their volumes everywhere in the operating system, in all applications, even at the sector level in WinHex itself, no matter which edit mode is active. This can be useful to protect original disks that need to be acquired or analyzed (but only after Windows has detected and accessed them) and your own disks that contain images, from accidental alteration, deletion, or data corruption. The effect will last until you remove the write protection again or unplug the devices or reboot your computer. To keep Windows from touching newly attached physical storage devices before you can write-protect them (i.e. to keep them in "offline" mode first), you would need to disable automatic mounting in Windows (and verify that this works). Turning on write-protection for an offline disk will automatically bring the disk online, at the same time while rendering it read-only. Careful, do not write-protect disks that your Windows system needs to write to for proper functioning!

[maximus]

http://www.sdcomputingservice.com/hddsuperclone

While HDDSuperClone is very capable of making a sector by sector clone or image, and when using the HDDLiveCD it should not perform any auto mounting, I do not in any way support it for forensic use, especially in the USA. I (luckily) don’t know the legal system very well, so if you do and can get away with using it for forensic use without issue, then that is great. But if asked, I will say it is not intended for that purpose, and quickly point to the as-is no-warranty in the user license. I am not trying to put down my own software (I think it is awesome), but use it at your own risk for legal forensic work.

And as an FYI it does not check for any hidden HPA/DCO on a drive.

[mel_blanc]

If this is for forensic work which is critical (evidence in court, corporate lawsuit, rich cheating spouse) I recommend you
buy a hardware write blocker and insert it between the drive and your work platform. As far as a decent package to
copy the drive I would use 'dd' found in all Linux packages. You can create a bootable flash drive with a package such
as Ubuntu, and run 'dd' to perform a bit by bit copy to the evidence drive. Be aware 'dd' will copy from first to last bit
of data on your clients drive including any unused disk space on the client's drive.

[HaQue]

I would not want anybody performing forensic tasks for a job if you need to explain any of this stuff to. At the very least they should be accompanied by a professional. "someone on a forum told me to do this process" wont stand up in court

[mel_blanc]

I would not want anybody performing forensic tasks for a job if you need to explain any of this stuff to. At the very least they should be accompanied by a professional. "someone on a forum told me to do this process" wont stand up in court

My recommendations were intended to steer him into the reality of associated
costs and intensity of needed knowledge to perform forensics. Most people
heading down the hobbyist approach when encountering the cost factor of
write protection and then encountering the learning curve for 'dd' quickly
abandon the quest for forensic work as a favor to a friend.

If however he does proceed down that path at least he has leads and I will
not withhold information from someone trying to learn the ropes.