Get answers from your peers
along with millions of IT pros who visit Spiceworks.
Join Now
This topic has been locked by an administrator and is no longer open for commenting.
To continue this discussion, please ask a new question.
AdChoices
This topic has been locked by an administrator and is no longer open for commenting.
To continue this discussion, please ask a new question.
51 Replies
I don't see why a raw copy tool like this or others would need to write to the source drive.. it only reads the source and writes to the destination. as far as I know. I could be wrong though.
I bet this will get added into the slideshow soon.
Keyphrase is "forensic clone". Aside from the forensic linux distros mentioned in your other thread, check—
CRU's product line has the aforementioned write block devices desired.
I'm with you on this one but in another thread someone freaked me out by telling me i should make sure the solution had "write protection".
When you are considering making an image for any Forensic Related work. Consider Write Blockers before proceeding further with Software related tools like "HDDRawCopy"
One Tool that has automatic write blocking to disk & which works in DOS is
"Media Tools Pro" which can try number of times for bad blocks & do reverse imaging.
http://www.osforensics.com/tools/create-disk-images.html
OSFClone is a free, self-booting solution which enables you to create or clone exact raw disk images quickly andindependent of the installed operating system. In addition to raw disk images, OSFClone also supports imaging drives to the open Advance Forensics Format (AFF). AFF is an open and extensible format to store disk images and associated metadata. An open standard enables investigators to quickly and efficiently use their preferred tools for drive analysis. After creating or cloning a disk image, you can mount the image with PassMark OSFMount before conducting analysis withPassMark OSForensics™.
OSFClone creates a forensic image of a disk, preserving any unused sectors, slack space, file fragmentation and undeleted file records from the original hard disk. Boot into OSFClone and create disk clones of FAT, NTFS and USB-connected drives! OSFClone can be booted from CD/DVD drives, or from USB flash drives.
OSFClone can create disk images in the dc3dd format. The dc3dd format is ideal for computer forensics due to its increased level of reporting for progress and errors, and ability to hash files on-the-fly.
Verify that a disk clone is identical to the source drive, by using OSFClone to compare the MD5 or SHA1 hash between the clone and the source drive. After image creation, you can choose from a range of compression options to reduce the size of the newly created image, increasing portability and saving disk space.
Use OSFClone to save forensic meta-data (such as case number, evidence number, examiner name, description and checksum) for cloned or created images.
http://www.datadev.com/hard-drive-forensics-eraser-data-security-erase-overwrite-data-recovery-lab-p...
Available on GSA Contract GS-02F-0111P
Price $1,999.00 Delivered
The PSIClone™ Hard Drive Cloning & Imaging Tool is a hand-held data recovery lab that clones, images, erases and verifies computer hard drives.
The PSIClone™ is the product of 27 years of expertise in the data recovery field by a team of engineers who specialize in including ‘unrecoverable’ data recovery hardware and software solutions. Designed by the best data recovery engineers in the business, the PSIClone is the device chosen by forensic investigators to reconsruct "unrecoverable" data.
Clonezilla is your friend.
LOL.. The IT world, where paranoia rules
Someone above mentioned clonezilla only gets used space. I would need to confirm that so can't answer your question fully.
Does it provide write protection? - No coning software will mess with the original disk.
Website posts:
i can feel my spice meter going up, someone mark me down for best answer dang it!
I wouldn't use clonezilla for forensics, it's not designed for it.
OSFclone looks like a good bet
Thanks for all the replies. After the information you posted on it i agree with you. Looking into it more now. Ill let you know how it goes.
If you check the Symantec website you can probably get a 30 day trial of Ghost. I know they do that with Backup exec
"Boot into OSFClone and create disk clones of FAT, NTFS and USB-connected drives! "
From a forensic point of view you're missing a large portion of the IT world. No Linux servers in your shop?
Norton Ghost will do it bit-for-bit. I've cloned many HDDs successfully with it. AND you can use it for free with Hiren's boot disc. Be aware, some (not me, I could care less) consider Hiren's "warez," thus possibly unscrupulous. But if you're not a fearful sheep, proceed.
To answer one of the questions that I saw, no clonezilla does not use dd first. If my memory is correct it will only use dd as one of the last methods as it's slow and clonezilla is targeted towards speed over forensics.
Many / most / all of the options proposed appear to do what you're looking for, the key thing is to ensure that you're mounting the source file-system as read only and that you're using a "dumb" cloning backend like DD (one that does raw copying without attempting to save space / speed up the process)Good Luck
Just to let everyone know, I decided to use OSFClone.
Brand Representative for StorageCraft
Michael,
Glad you found a solution (and a "best answer"). I just wanted to mention that you can do a hot image of a system using ShadowProtect IT Edition on a USB key. This solution has more functionality than you need (e.g. advanced partition utilities, hardware independent restore, VirtualBoot, etc.) but it does make for an awesome tool for any IT Pro's key chain.
Cheers!