All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: Copy disk with Disk2vhd for forensic analysis?
PostPosted: January 3rd, 2019, 14:48 
Offline

Joined: January 3rd, 2019, 14:36
Posts: 1
Location: Argentina
Hi!

I have a hard disk that I need to analyze the dates of the last accesses and since I do not have too much time now, I would like to take a backup and analyzing this copy with Autopsy allows me to obtain the corresponding details.

I am concerned that when making this copy of the information with Disk2vhd the access dates will be altered in the copy of the destination and I can no longer accurately deduce this. To avoid this in the source drive, I have found how to disable automating in Windows 7 and mark the drive as read-only, the problem is in the destination drive, that Disk2vhd keeps the dates intact. I'm not sure about that. Have you tried it?

Nor am I sure if it is necessary to make a copy sector by sector if I do not need to analyze the sectors not assigned or try to recover the information deleted.

I hope you read his opinion.


Top
 Profile  
 
 Post subject: Re: Copy disk with Disk2vhd for forensic analysis?
PostPosted: January 5th, 2019, 2:48 
Offline
User avatar

Joined: May 13th, 2010, 11:17
Posts: 2441
Location: Kuwait
Mariner wrote:
Hi!

I have a hard disk that I need to analyze the dates of the last accesses and since I do not have too much time now, I would like to take a backup and analyzing this copy with Autopsy allows me to obtain the corresponding details.

I am concerned that when making this copy of the information with Disk2vhd the access dates will be altered in the copy of the destination and I can no longer accurately deduce this. To avoid this in the source drive, I have found how to disable automating in Windows 7 and mark the drive as read-only, the problem is in the destination drive, that Disk2vhd keeps the dates intact. I'm not sure about that. Have you tried it?

Nor am I sure if it is necessary to make a copy sector by sector if I do not need to analyze the sectors not assigned or try to recover the information deleted.

I hope you read his opinion.


Rule #1 in forensics, take all the time you need to gather enough evidence, trying to judge in 5min without enough info. means 90% bad judgment.

_________________
Kuwait Data Recovery - UNIX GTC
The only reason for time is so that everything doesn't happen at once. By: Albert Einstein


Top
 Profile  
 
 Post subject: Re: Copy disk with Disk2vhd for forensic analysis?
PostPosted: January 5th, 2019, 7:47 
Offline

Joined: November 29th, 2006, 10:08
Posts: 7379
Location: UK
I would make a complete sector clone

_________________
PC Image Data Recovery
http://www.pcimage.co.uk

New!! HDD-PCB.COM for all your PCB and donor HDD requirements!


Top
 Profile  
 
 Post subject: Re: Copy disk with Disk2vhd for forensic analysis?
PostPosted: January 5th, 2019, 16:22 
Offline
User avatar

Joined: December 19th, 2006, 8:49
Posts: 10723
Location: Portugal
pcimage wrote:
I would make a complete sector clone


Agree ! I would do that too using something like a hardware based imager with write blocker on source drive.

If that is not available use something like ddrescue or hddsuperclone to do a sector by sector copy of your original disk to a clone. Later you can do your forensic investigation on the clone.... Unless you are law enforcement, etc and you are restricted by legal reasons to use specific ssollutions like encase ...

_________________
1Q9xrDTzTddUXeJAFRn37aqh1Yr6buDCdw - (Bitcoin Donations)
paypal.me/Spildit - (PayPal Donations)
The HDD Oracle - Platform for OPEN research on Data Recovery.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group