[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 610
  • Last Modified:

Forensic Imaging Recomendation

I am looking for a recomendation for what I would need to take a forensic image of a computer that would back up the image of the computer on a given date (ex. if a person leaves the company) that would work on a variety of drive archetecture. i.e. laptop, desktop, RAID 0 configuration. Ideally it would back it up to a network server and would take less than a day for the entire backup. I am looking for lower end budget and probably not freeware and would work out of the box.
0
geriatricgeek
Asked:
geriatricgeek
  • 4
  • 2
  • 2
  • +3
10 Solutions
 
rgeersCommented:
0
 
rgeersCommented:
If you use the dd command under linux, you address the disk and create the image like

dd if=/dev/hda of=hda.img

Store on a network-server:

dd if=/dev/hda | ssh network-server dd of=/archive/hda.img

But Backtrack5 gives a number of other forensic option(for free).
0
 
akahanCommented:
If you plan to use the backup to actually PROVE something someday, you should not back up to a server, but to a DVD, or a set of DVD's, which you can then mark the date on with a Sharpie.

It will be MUCH easier and more direct to testify, "I backed the image up to a DVD, and put the DVD in a locked safe [or whatever] where it has sat until it was needed for this case, and this is my handwriting on the DVD, showing the date that I created it" than "I backed it up to a server, and.. uh, twelve people have access to the server and any one of those people might have tampered with the data since then and, er, I guess they could have changed the date stamp too, and um...well, I can't exactly be POSITIVE that it hasn't been changed since I did the backup," etc..

0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
rgeersCommented:
Akahan has a point, but there is not garanty that when this DVD is actually made, unless you define a manual routine to store this DVD. Then you are better off storing the md5 hash of the file, so you can store this on a mediun, or even mail i to a specific address, if you want to garanty the integrety of your archive.
0
 
akahanCommented:
Rgeers, understood:  But then you would have to get someone to explain md5 hashing to the judge or jury, and the other side will point out that it is POSSIBLE for two different files to have the same hash, etc., etc.  Everyone intuitively understands that if you burn a single-write DVD, it can't be changed afterwards, etc.  In other words: what will win, in the end, is what's easily explained and understood, not necessarily what's more technically sound.

But of course this isn't really what the OP was asking about....
0
 
rgeersCommented:
Do you know what chance it is to get the same hash for two different files? I think I can convince the judge and the jury. But as you said, this was not our task, Made it more interresting though :)
0
 
moorhouselondonCommented:
The easiest way is to take the hard drive out the pc, put it into an anti-static bag, then into a sealed envelope with a signature and date on it.

The following article gives a fair indication about the shortcomings of md5 with regard to collisions:-

http://en.wikipedia.org/wiki/MD5

I would imagine that defence could be blown out the water by providing an overall md5 fingerprint for the whole drive, then use a Hamming technique to produce hashes for sections of the drive.  The effort involved in engineering hash collisions in such an overlapping structure would be unthinkably complex today.
0
 
btanExec ConsultantCommented:
Key is that it must be able to perform the raw imaging like DD. Encase is well recognised but can be costly. Some other suggestion include

Acronis True Imager
@ http://www.acronis.com/homecomputing/products/trueimage/features.html

Active@Disk Image
http://disk-image.net/features.htm

ILook IXimager ( but would be available to govt grps if I read correctly)
@ http://www.ilook-forensics.org/iximager.html
0
 
noxchoGlobal Support CoordinatorCommented:
Paragon Drive Backup tools: www.drive-backup.com
Does not cost much but provides reliable backup solution.
0
 
noxchoGlobal Support CoordinatorCommented:
Paragon Drive Backup tools: www.drive-backup.com
Does not cost much but provides reliable backup solution.
0
 
geriatricgeekAuthor Commented:
thanks
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

  • 4
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now