Solved

Forensic Imaging Recomendation

Posted on 2010-09-24
11
599 Views
Last Modified: 2013-12-01
I am looking for a recomendation for what I would need to take a forensic image of a computer that would back up the image of the computer on a given date (ex. if a person leaves the company) that would work on a variety of drive archetecture. i.e. laptop, desktop, RAID 0 configuration. Ideally it would back it up to a network server and would take less than a day for the entire backup. I am looking for lower end budget and probably not freeware and would work out of the box.
0
Comment
Question by:geriatricgeek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +3
11 Comments
 
LVL 3

Accepted Solution

by:
rgeers earned 200 total points
ID: 33753844
0
 
LVL 3

Assisted Solution

by:rgeers
rgeers earned 200 total points
ID: 33753887
If you use the dd command under linux, you address the disk and create the image like

dd if=/dev/hda of=hda.img

Store on a network-server:

dd if=/dev/hda | ssh network-server dd of=/archive/hda.img

But Backtrack5 gives a number of other forensic option(for free).
0
 
LVL 26

Assisted Solution

by:akahan
akahan earned 100 total points
ID: 33754863
If you plan to use the backup to actually PROVE something someday, you should not back up to a server, but to a DVD, or a set of DVD's, which you can then mark the date on with a Sharpie.

It will be MUCH easier and more direct to testify, "I backed the image up to a DVD, and put the DVD in a locked safe [or whatever] where it has sat until it was needed for this case, and this is my handwriting on the DVD, showing the date that I created it" than "I backed it up to a server, and.. uh, twelve people have access to the server and any one of those people might have tampered with the data since then and, er, I guess they could have changed the date stamp too, and um...well, I can't exactly be POSITIVE that it hasn't been changed since I did the backup," etc..

0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 3

Assisted Solution

by:rgeers
rgeers earned 200 total points
ID: 33755111
Akahan has a point, but there is not garanty that when this DVD is actually made, unless you define a manual routine to store this DVD. Then you are better off storing the md5 hash of the file, so you can store this on a mediun, or even mail i to a specific address, if you want to garanty the integrety of your archive.
0
 
LVL 26

Assisted Solution

by:akahan
akahan earned 100 total points
ID: 33755231
Rgeers, understood:  But then you would have to get someone to explain md5 hashing to the judge or jury, and the other side will point out that it is POSSIBLE for two different files to have the same hash, etc., etc.  Everyone intuitively understands that if you burn a single-write DVD, it can't be changed afterwards, etc.  In other words: what will win, in the end, is what's easily explained and understood, not necessarily what's more technically sound.

But of course this isn't really what the OP was asking about....
0
 
LVL 3

Assisted Solution

by:rgeers
rgeers earned 200 total points
ID: 33755295
Do you know what chance it is to get the same hash for two different files? I think I can convince the judge and the jury. But as you said, this was not our task, Made it more interresting though :)
0
 
LVL 31

Assisted Solution

by:moorhouselondon
moorhouselondon earned 50 total points
ID: 33756834
The easiest way is to take the hard drive out the pc, put it into an anti-static bag, then into a sealed envelope with a signature and date on it.

The following article gives a fair indication about the shortcomings of md5 with regard to collisions:-

http://en.wikipedia.org/wiki/MD5

I would imagine that defence could be blown out the water by providing an overall md5 fingerprint for the whole drive, then use a Hamming technique to produce hashes for sections of the drive.  The effort involved in engineering hash collisions in such an overlapping structure would be unthinkably complex today.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 50 total points
ID: 33759537
Key is that it must be able to perform the raw imaging like DD. Encase is well recognised but can be costly. Some other suggestion include

Acronis True Imager
@ http://www.acronis.com/homecomputing/products/trueimage/features.html

Active@Disk Image
http://disk-image.net/features.htm

ILook IXimager ( but would be available to govt grps if I read correctly)
@ http://www.ilook-forensics.org/iximager.html
0
 
LVL 47

Assisted Solution

by:noxcho
noxcho earned 100 total points
ID: 33778185
Paragon Drive Backup tools: www.drive-backup.com
Does not cost much but provides reliable backup solution.
0
 
LVL 47

Assisted Solution

by:noxcho
noxcho earned 100 total points
ID: 33778372
Paragon Drive Backup tools: www.drive-backup.com
Does not cost much but provides reliable backup solution.
0
 
LVL 1

Author Closing Comment

by:geriatricgeek
ID: 33925670
thanks
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Delta outage: 650 cancelled flights, more than 1200 delayed flights, thousands of frustrated customers, tens of millions of dollars in damages – plus untold reputational damage to one of the world’s most trusted airlines. All due to a catastroph…
In this article I discuss my selections of the Top Four free Outlook OST File Viewers available. Open, view and read even damaged OST files by using these tools. They all provide a clear preview of all data such as emails, notes, tasks, calendars, e…
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question