![[Company Logo Image]](images/logo.gif){kind=logo}
Data
Forensics Engineering
|
|
|
|
The critical issue in imaging are documentation, never changing t he evidence and the ability to image all of the sectors on a hard drive. I will address best practices for each item. Documentation record the serial number, model number, part number, LBA/CHS, size, manufacture the more information the better. Mark the drive with your initials and date, and Xerox the drive information . Identify the physical drives serial number, size, HPA using software and hardware tools. this step is most critical and is accomplished in two different methodologies. Dos Methodology 1. boot the system in trusted neutered dos making sure the first boot device is a floppy. This can be accomplished on a forensic workstation or suspects PC 2. using Mark Menz's Drive ID verify the drive information to include if it has HPA. Replica from Xways.com will also verify HPA. You must have the drive on a primary of secondary controller of the forensic computer. If you have HPA on the drive, you will have to disable HPA and image the drive using the Dos version of Encase. Replica will also image the drive in Dos and capture HPA. note to Linux users: I have not tried every version of Linux, but out of the box Fedora Core 4 does not support HPA nor NTFS. You have to compile a new kernel with Set_max and NTFS and then you can image the complete drive with AIR or DD. This goes for SMART as well. GUI Imaging 1. Connect Mark Menz's FPU NoWrite to your firewire and USB connectors of your laptop and the hard drive (PATA, SATA). Boot your system with confidence that it is write protected. I have tested many firewire and USB write block devices and none will allow access to the whole drive. Mark Menz's FPS No Write allows access to the whole drive to identify HPA and all the SMART information, which could be critical to the investigation. 2. Using FPU NoWrite Utility record and identify the drives information, If it has HPA, disable it and image using Encase, FTK Imager or Prodiscover in the GUI. I have used this on my Guardian portable workstation and on a IBM Thinkpad using my Expansion chassis with 800 gigs of storage.
|
|
Send mail to info@dataforensicsengineering.com with
questions or comments about this web site.
|
