Switch to full style
Anything related to computer forensics (new section!)
Post a reply

Copy disk with Disk2vhd for forensic analysis?

January 3rd, 2019, 14:48

Hi!

I have a hard disk that I need to analyze the dates of the last accesses and since I do not have too much time now, I would like to take a backup and analyzing this copy with Autopsy allows me to obtain the corresponding details.

I am concerned that when making this copy of the information with Disk2vhd the access dates will be altered in the copy of the destination and I can no longer accurately deduce this. To avoid this in the source drive, I have found how to disable automating in Windows 7 and mark the drive as read-only, the problem is in the destination drive, that Disk2vhd keeps the dates intact. I'm not sure about that. Have you tried it?

Nor am I sure if it is necessary to make a copy sector by sector if I do not need to analyze the sectors not assigned or try to recover the information deleted.

I hope you read his opinion.

Re: Copy disk with Disk2vhd for forensic analysis?

January 5th, 2019, 2:48

Mariner wrote:Hi!

I have a hard disk that I need to analyze the dates of the last accesses and since I do not have too much time now, I would like to take a backup and analyzing this copy with Autopsy allows me to obtain the corresponding details.

I am concerned that when making this copy of the information with Disk2vhd the access dates will be altered in the copy of the destination and I can no longer accurately deduce this. To avoid this in the source drive, I have found how to disable automating in Windows 7 and mark the drive as read-only, the problem is in the destination drive, that Disk2vhd keeps the dates intact. I'm not sure about that. Have you tried it?

Nor am I sure if it is necessary to make a copy sector by sector if I do not need to analyze the sectors not assigned or try to recover the information deleted.

I hope you read his opinion.


Rule #1 in forensics, take all the time you need to gather enough evidence, trying to judge in 5min without enough info. means 90% bad judgment.

Re: Copy disk with Disk2vhd for forensic analysis?

January 5th, 2019, 7:47

I would make a complete sector clone

Re: Copy disk with Disk2vhd for forensic analysis?

January 5th, 2019, 16:22

pcimage wrote:I would make a complete sector clone


Agree ! I would do that too using something like a hardware based imager with write blocker on source drive.

If that is not available use something like ddrescue or hddsuperclone to do a sector by sector copy of your original disk to a clone. Later you can do your forensic investigation on the clone.... Unless you are law enforcement, etc and you are restricted by legal reasons to use specific ssollutions like encase ...
Post a reply