Anything related to computer forensics (new section!)
Post a reply

Copy disk with Disk2vhd for forensic analysis?

January 3rd, 2019, 14:48


I have a hard disk that I need to analyze the dates of the last accesses and since I do not have too much time now, I would like to take a backup and analyzing this copy with Autopsy allows me to obtain the corresponding details.

I am concerned that when making this copy of the information with Disk2vhd the access dates will be altered in the copy of the destination and I can no longer accurately deduce this. To avoid this in the source drive, I have found how to disable automating in Windows 7 and mark the drive as read-only, the problem is in the destination drive, that Disk2vhd keeps the dates intact. I'm not sure about that. Have you tried it?

Nor am I sure if it is necessary to make a copy sector by sector if I do not need to analyze the sectors not assigned or try to recover the information deleted.

I hope you read his opinion.

Re: Copy disk with Disk2vhd for forensic analysis?

January 5th, 2019, 2:48

Mariner wrote:Hi!

I have a hard disk that I need to analyze the dates of the last accesses and since I do not have too much time now, I would like to take a backup and analyzing this copy with Autopsy allows me to obtain the corresponding details.

I am concerned that when making this copy of the information with Disk2vhd the access dates will be altered in the copy of the destination and I can no longer accurately deduce this. To avoid this in the source drive, I have found how to disable automating in Windows 7 and mark the drive as read-only, the problem is in the destination drive, that Disk2vhd keeps the dates intact. I'm not sure about that. Have you tried it?

Nor am I sure if it is necessary to make a copy sector by sector if I do not need to analyze the sectors not assigned or try to recover the information deleted.

I hope you read his opinion.

Rule #1 in forensics, take all the time you need to gather enough evidence, trying to judge in 5min without enough info. means 90% bad judgment.

Re: Copy disk with Disk2vhd for forensic analysis?

January 5th, 2019, 7:47

I would make a complete sector clone
Post a reply