Joined: Nov 01, 2005 Posts: 551 Location: Marion, Indiana, USA
Posted: Thu Sep 19, 2013 11:53 am Post subject:
Due to the way windows works, you will have to use a hardware write blocker to make a forensically sound copy. Windows automatically mounts storage devices with read write and as soon as it mounts it, changes are made. Therefore, you must use a hardware write blocker. As to copying once you are using a write blocker to protect the evidence drive, you can use just about anything to copy and hash the file.
As far as the other response being removed, I would guess it was a link to an external site which isn't allowed.
upcopy from maresware (free) can do what you need (www dmares dot com)
ftk imager from accessdata (free) can make forensic copies of the files and put them in a container file, and hash verify (www accessdata dot com)
x-way forensics and encase (not free) can make forensic copies of the files, put them in a container file, and hash verify (x-ways dot net and guidancesoftware dot com).
if you only need to copy files and verify the hashes match, you don't need write protection. if you want a bit-for-bit copy of the drive or you want the most pristine copy of the files, then write protection may be in order.
you can boot the system to a forensic os (linux forensics or winfe) and copy the file that way, as the drive would be write protected.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum