Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Forensic Imaging Recomendation

Posted on 2010-09-24
11
Medium Priority
?
604 Views
Last Modified: 2013-12-01
I am looking for a recomendation for what I would need to take a forensic image of a computer that would back up the image of the computer on a given date (ex. if a person leaves the company) that would work on a variety of drive archetecture. i.e. laptop, desktop, RAID 0 configuration. Ideally it would back it up to a network server and would take less than a day for the entire backup. I am looking for lower end budget and probably not freeware and would work out of the box.
0
Comment
Question by:geriatricgeek
  • 4
  • 2
  • 2
  • +3
11 Comments
 
LVL 3

Accepted Solution

by:
rgeers earned 800 total points
ID: 33753844
0
 
LVL 3

Assisted Solution

by:rgeers
rgeers earned 800 total points
ID: 33753887
If you use the dd command under linux, you address the disk and create the image like

dd if=/dev/hda of=hda.img

Store on a network-server:

dd if=/dev/hda | ssh network-server dd of=/archive/hda.img

But Backtrack5 gives a number of other forensic option(for free).
0
 
LVL 26

Assisted Solution

by:akahan
akahan earned 400 total points
ID: 33754863
If you plan to use the backup to actually PROVE something someday, you should not back up to a server, but to a DVD, or a set of DVD's, which you can then mark the date on with a Sharpie.

It will be MUCH easier and more direct to testify, "I backed the image up to a DVD, and put the DVD in a locked safe [or whatever] where it has sat until it was needed for this case, and this is my handwriting on the DVD, showing the date that I created it" than "I backed it up to a server, and.. uh, twelve people have access to the server and any one of those people might have tampered with the data since then and, er, I guess they could have changed the date stamp too, and um...well, I can't exactly be POSITIVE that it hasn't been changed since I did the backup," etc..

0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 3

Assisted Solution

by:rgeers
rgeers earned 800 total points
ID: 33755111
Akahan has a point, but there is not garanty that when this DVD is actually made, unless you define a manual routine to store this DVD. Then you are better off storing the md5 hash of the file, so you can store this on a mediun, or even mail i to a specific address, if you want to garanty the integrety of your archive.
0
 
LVL 26

Assisted Solution

by:akahan
akahan earned 400 total points
ID: 33755231
Rgeers, understood:  But then you would have to get someone to explain md5 hashing to the judge or jury, and the other side will point out that it is POSSIBLE for two different files to have the same hash, etc., etc.  Everyone intuitively understands that if you burn a single-write DVD, it can't be changed afterwards, etc.  In other words: what will win, in the end, is what's easily explained and understood, not necessarily what's more technically sound.

But of course this isn't really what the OP was asking about....
0
 
LVL 3

Assisted Solution

by:rgeers
rgeers earned 800 total points
ID: 33755295
Do you know what chance it is to get the same hash for two different files? I think I can convince the judge and the jury. But as you said, this was not our task, Made it more interresting though :)
0
 
LVL 31

Assisted Solution

by:moorhouselondon
moorhouselondon earned 200 total points
ID: 33756834
The easiest way is to take the hard drive out the pc, put it into an anti-static bag, then into a sealed envelope with a signature and date on it.

The following article gives a fair indication about the shortcomings of md5 with regard to collisions:-

http://en.wikipedia.org/wiki/MD5

I would imagine that defence could be blown out the water by providing an overall md5 fingerprint for the whole drive, then use a Hamming technique to produce hashes for sections of the drive.  The effort involved in engineering hash collisions in such an overlapping structure would be unthinkably complex today.
0
 
LVL 65

Assisted Solution

by:btan
btan earned 200 total points
ID: 33759537
Key is that it must be able to perform the raw imaging like DD. Encase is well recognised but can be costly. Some other suggestion include

Acronis True Imager
@ http://www.acronis.com/homecomputing/products/trueimage/features.html

Active@Disk Image
http://disk-image.net/features.htm

ILook IXimager ( but would be available to govt grps if I read correctly)
@ http://www.ilook-forensics.org/iximager.html
0
 
LVL 47

Assisted Solution

by:noxcho
noxcho earned 400 total points
ID: 33778185
Paragon Drive Backup tools: www.drive-backup.com
Does not cost much but provides reliable backup solution.
0
 
LVL 47

Assisted Solution

by:noxcho
noxcho earned 400 total points
ID: 33778372
Paragon Drive Backup tools: www.drive-backup.com
Does not cost much but provides reliable backup solution.
0
 
LVL 1

Author Closing Comment

by:geriatricgeek
ID: 33925670
thanks
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It all started with a phone call.  The then acting director of the Office of Research Computing, called to ask me to remotely shutdown my computer, it was Yom Kippur, Wednesday October 12, 2016.
Web hosting control panels were first developed to make it faster and easier for most users to set up and operate websites. The graphical user interface (GUI) allows users to perform tasks by pointing and clicking rather than typing highly specific…
The viewer will learn how to successfully download and install the SARDU utility on Windows 8, without downloading adware.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question