Solved

Forensic Imaging Recomendation

Posted on 2010-09-24
11
597 Views
Last Modified: 2013-12-01
I am looking for a recomendation for what I would need to take a forensic image of a computer that would back up the image of the computer on a given date (ex. if a person leaves the company) that would work on a variety of drive archetecture. i.e. laptop, desktop, RAID 0 configuration. Ideally it would back it up to a network server and would take less than a day for the entire backup. I am looking for lower end budget and probably not freeware and would work out of the box.
0
Comment
Question by:geriatricgeek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +3
11 Comments
 
LVL 3

Accepted Solution

by:
rgeers earned 200 total points
ID: 33753844
0
 
LVL 3

Assisted Solution

by:rgeers
rgeers earned 200 total points
ID: 33753887
If you use the dd command under linux, you address the disk and create the image like

dd if=/dev/hda of=hda.img

Store on a network-server:

dd if=/dev/hda | ssh network-server dd of=/archive/hda.img

But Backtrack5 gives a number of other forensic option(for free).
0
 
LVL 26

Assisted Solution

by:akahan
akahan earned 100 total points
ID: 33754863
If you plan to use the backup to actually PROVE something someday, you should not back up to a server, but to a DVD, or a set of DVD's, which you can then mark the date on with a Sharpie.

It will be MUCH easier and more direct to testify, "I backed the image up to a DVD, and put the DVD in a locked safe [or whatever] where it has sat until it was needed for this case, and this is my handwriting on the DVD, showing the date that I created it" than "I backed it up to a server, and.. uh, twelve people have access to the server and any one of those people might have tampered with the data since then and, er, I guess they could have changed the date stamp too, and um...well, I can't exactly be POSITIVE that it hasn't been changed since I did the backup," etc..

0
How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

 
LVL 3

Assisted Solution

by:rgeers
rgeers earned 200 total points
ID: 33755111
Akahan has a point, but there is not garanty that when this DVD is actually made, unless you define a manual routine to store this DVD. Then you are better off storing the md5 hash of the file, so you can store this on a mediun, or even mail i to a specific address, if you want to garanty the integrety of your archive.
0
 
LVL 26

Assisted Solution

by:akahan
akahan earned 100 total points
ID: 33755231
Rgeers, understood:  But then you would have to get someone to explain md5 hashing to the judge or jury, and the other side will point out that it is POSSIBLE for two different files to have the same hash, etc., etc.  Everyone intuitively understands that if you burn a single-write DVD, it can't be changed afterwards, etc.  In other words: what will win, in the end, is what's easily explained and understood, not necessarily what's more technically sound.

But of course this isn't really what the OP was asking about....
0
 
LVL 3

Assisted Solution

by:rgeers
rgeers earned 200 total points
ID: 33755295
Do you know what chance it is to get the same hash for two different files? I think I can convince the judge and the jury. But as you said, this was not our task, Made it more interresting though :)
0
 
LVL 31

Assisted Solution

by:moorhouselondon
moorhouselondon earned 50 total points
ID: 33756834
The easiest way is to take the hard drive out the pc, put it into an anti-static bag, then into a sealed envelope with a signature and date on it.

The following article gives a fair indication about the shortcomings of md5 with regard to collisions:-

http://en.wikipedia.org/wiki/MD5

I would imagine that defence could be blown out the water by providing an overall md5 fingerprint for the whole drive, then use a Hamming technique to produce hashes for sections of the drive.  The effort involved in engineering hash collisions in such an overlapping structure would be unthinkably complex today.
0
 
LVL 63

Assisted Solution

by:btan
btan earned 50 total points
ID: 33759537
Key is that it must be able to perform the raw imaging like DD. Encase is well recognised but can be costly. Some other suggestion include

Acronis True Imager
@ http://www.acronis.com/homecomputing/products/trueimage/features.html

Active@Disk Image
http://disk-image.net/features.htm

ILook IXimager ( but would be available to govt grps if I read correctly)
@ http://www.ilook-forensics.org/iximager.html
0
 
LVL 47

Assisted Solution

by:noxcho
noxcho earned 100 total points
ID: 33778185
Paragon Drive Backup tools: www.drive-backup.com
Does not cost much but provides reliable backup solution.
0
 
LVL 47

Assisted Solution

by:noxcho
noxcho earned 100 total points
ID: 33778372
Paragon Drive Backup tools: www.drive-backup.com
Does not cost much but provides reliable backup solution.
0
 
LVL 1

Author Closing Comment

by:geriatricgeek
ID: 33925670
thanks
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, you will read about the trends across the human resources departments for the upcoming year. Some of them include improving employee experience, adopting new technologies, using HR software to its full extent, and integrating artifi…
Microsoft will be releasing the Windows 10 Creators Update in just a matter of weeks. Are you prepared? Follow these steps to ensure everything goes smoothly and you don't lose valuable data on your PC.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
XMind Plus helps organize all details/aspects of any project from large to small in an orderly and concise manner. If you are working on a complex project, use this micro tutorial to show you how to make a basic flow chart. The software is free when…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question