Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: ming_hgm
New Today: 1
New Yesterday: 0
Overall: 29659

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Software to search an FTK Lite Mounted drive with keyword
 How much can be found?
 Computer Forensic in responding to Data Breach issues
 A bunch of numbers about digital evidences collection
 Computer forensic issue

Computer Forensics World Forums


Pages Served
We received
59439488
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - How to take image of Win XP/7 using open source tools
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

How to take image of Win XP/7 using open source tools
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues
View previous topic :: View next topic  
Author Message
exus69
Newbie
Newbie


Joined: Dec 30, 2011
Posts: 36

PostPosted: Tue Jan 10, 2012 9:50 pm    Post subject: How to take image of Win XP/7 using open source tools Reply with quote

Hi all,

How to take image of Win XP/7 using open source tools for forensic purpose?

Please help
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Wed Jan 11, 2012 12:06 am    Post subject: Reply with quote

dd or some variant thereof.
Back to top
View user's profile
binarybod
Newbie
Newbie


Joined: Feb 22, 2010
Posts: 64
Location: Nottingham UK

PostPosted: Wed Jan 11, 2012 1:21 am    Post subject: Reply with quote

If you want '.E01' files then ewfacquire which is part of the libewf suite (look on sourceforge for libewf). Will work in both *nix and Windows.

It's not open source but it is free: AccessData FTK Imager (not to be confused with FTK) which you can get from the AccessData downloads page.

HTH

Paul
Back to top
View user's profile
exus69
Newbie
Newbie


Joined: Dec 30, 2011
Posts: 36

PostPosted: Wed Jan 11, 2012 1:08 pm    Post subject: Reply with quote

Hi PreferredUser,

Thanks for ur input. I did some googling for the "dd" forensic tool and came up with the forensicswiki link which said the following:

Quote:
Although it is functional and requires only minimal resources to run, it lacks some of the useful features found in more modern imagers such as metadata gathering, error correction, piecewise hashing, and a user-friendly interface.


so I think I'll try FTK Imager (thanks binarybod)
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Wed Jan 11, 2012 2:46 pm    Post subject: Reply with quote

OP said Open Source which is why I put dd or variants. If you read further in the Wiki: "There are a few forks of dd for forensic purposes including dcfldd, sdd, dd_rescue, ddrescue, dccidd, and a Microsoft Windows version that supports reading physical memory."

FTK Imager, while free, is not Open Source. IIRC from your other posts you are in school, I guess it depends on how much of a stickler your prof is in his/her assignments.
Back to top
View user's profile
exus69
Newbie
Newbie


Joined: Dec 30, 2011
Posts: 36

PostPosted: Wed Jan 11, 2012 4:27 pm    Post subject: Reply with quote

Hi PreferredUser,

Am into late twenties but as far as Forensics is concerned am in kindergarten Very Happy

And yes, thanks to you, I now know the difference between
"free" and "open source". There's always something new to
learn everyday hmmm....
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Wed Jan 11, 2012 10:45 pm    Post subject: Reply with quote

exus69 wrote:
And yes, thanks to you, I now know the difference between
"free" and "open source". There's always something new to
learn everyday hmmm....
Meh, never said you did not know the difference. Many things in CF are about exactness. When someone says Open Source instead of free there is usually a reason. Apparently that was not the case in your post.
Back to top
View user's profile
exus69
Newbie
Newbie


Joined: Dec 30, 2011
Posts: 36

PostPosted: Thu Apr 05, 2012 7:15 pm    Post subject: Reply with quote

As far as FTK Imager is concerned, I noticed that it needs to be installed on the system in order to take its forensic image but the forensics rules says that minimum changes should be made to the system before taking its forensic image.

Keeping the above in mind, dont you think something like this is a better solution:

http : // www. myfixlog .com/fix.php?fid=33

what say?
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Thu Apr 05, 2012 9:35 pm    Post subject: Reply with quote

FTK Jmager is not installed on the subject computer, it is installed on the examiner machine. There is also a Lite version that can be run from a CD or USB.
Back to top
View user's profile
exus69
Newbie
Newbie


Joined: Dec 30, 2011
Posts: 36

PostPosted: Thu Apr 05, 2012 10:36 pm    Post subject: Reply with quote

PreferredUser wrote:
FTK Jmager is not installed on the subject computer, it is installed on the examiner machine.


Examiners machine ? but if you want to take a forensic image of
the victims hard drive you will have to install it on the
victims machine as well isnt it??


PreferredUser wrote:
There is also a Lite version that can be run from a CD or USB.


Ok thanks I read about it. But lets assume a scenario here:
Suppose I come across a Windows system which is not running
and I am told that I've to take its image. So is starting Windows
and then taking an image using FTK Lite a better option or booting
Caine via CD/USB as mentioned in that link is recommended??
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Thu Apr 05, 2012 11:26 pm    Post subject: Reply with quote

exus69 wrote:
Examiners machine ? but if you want to take a forensic image of the victims hard drive you will have to install it on the victims machine as well isnt it??
No. You never install anything on the subject computer.

exus69 wrote:
Ok thanks I read about it. But lets assume a scenario here:
Suppose I come across a Windows system which is not running
and I am told that I've to take its image. So is starting Windows
and then taking an image using FTK Lite a better option or booting
Caine via CD/USB as mentioned in that link is recommended??
If the subject computer is off you do not turn it on.

As an examiner you always have to be mindful of Locard's Exchange Principle.

At this point I am really getting concerned. When you first started posting on this forum you were having problems with a fairly advanced memory forensics issue, yet now you are asking about imaging a subject computer, and imaging a subject computer is the most basic, beginner, fundamental task so if you are not familiar with that I am concerned what you are doing working in this field. So I really have to ask because again these things you are having problems with are really basic forensics, do you have any forensic training?

Hopefully you are not doing work in the field, because what we do typically has a serious effect on a person's life/livelihood/business/freedom and having an untrained, inexperienced person pretending to be an examiner is just a scary thought.
Back to top
View user's profile
exus69
Newbie
Newbie


Joined: Dec 30, 2011
Posts: 36

PostPosted: Fri Apr 06, 2012 1:10 am    Post subject: Reply with quote

PreferredUser wrote:
At this point I am really getting concerned. When you first started posting on this forum you were having problems with a fairly advanced memory forensics issue, yet now you are asking about imaging a subject computer, and imaging a subject computer is the most basic, beginner, fundamental task so if you are not familiar with that I am concerned what you are doing working in this field. So I really have to ask because again these things you are having problems with are really basic forensics, do you have any forensic training?

Hopefully you are not doing work in the field, because what we do typically has a serious effect on a person's life/livelihood/business/freedom and having an untrained, inexperienced person pretending to be an examiner is just a scary thought.


Am into tech support and I get spare time during my work hours so trying to learn about forensics. Such forums and google are my only tutors coz I dont have money to spend on forensic training.


PreferredUser wrote:
If the subject computer is off you do not turn it on.


So, in this case, do you think the method posted in that link using Caine is a good option ?
Back to top
View user's profile
exus69
Newbie
Newbie


Joined: Dec 30, 2011
Posts: 36

PostPosted: Thu Apr 12, 2012 11:20 am    Post subject: Reply with quote

Anyone ??
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Thu Apr 12, 2012 1:12 pm    Post subject: Reply with quote

Never been a big fan of Ubuntu based forensic distros as they were (are?) not forensically sound.

So that example might be fine, however I have not tested it so I would not want to say one way or another. If you just want some kind of image to experiment with and are not concerned with it being forensically sound I am sure it is fine.
Back to top
View user's profile
exus69
Newbie
Newbie


Joined: Dec 30, 2011
Posts: 36

PostPosted: Thu Apr 19, 2012 11:04 pm    Post subject: Reply with quote

K lets see will give it a try since its a test workstation. Thanks Smile
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Technical Issues All times are GMT + 10 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.