Basic forensic image for eDiscovery - Windows XP


Hagrid

New Member
Oct 15, 2008
18
0
#1
Hello - This is my first post, so hello to all... I have been recently asked to image a few Windows XP desktops and laptops for eDiscovery. I have looked at a few tools like Helix3 and the FAU toolkit (dd.exe). Of course the one issue that I keep coming back to and for some reason I cannot find a solution, is that it would seem to me that I need to be able to boot up the machine that I would like to image on a CD so that I can image the internal hard disk without it being the boot disk. Then I would like to connect an external USB type hard disk to store/write the image. I cannot find a way to make a CD with all the tool that will boot the Windows computers.

Can anyone help to point me in the right direction. To me this would seem to be the way everyone would do this.

Thanks again...
 

Complete

Administrator
Aug 19, 2006
861
0
#2
I may not be following this correctly, but... did you read the Helix manual? Start at page 91 for a description on how Helix boots and how you can image the hard drive. The basics are this - put the Helix CD in the computer you want image, start the machine to boot Helix, attach a USB drive, image the machine's hard drive to the USB drive. I think this is the process you described and are looking for. Helix contains all the tools you'll need to image the drive.

Oh, and another thing to think about is that you may want to have a professional conduct the imaging. Since E-Discovery generally involves some sort of litigation, lawyers like to jump on those who haven't been trained and aren't certified to conduct the imaging/exams. Don't paint yourself into a corner if you don't have to.
 

ecophobia

New Member
Oct 16, 2008
9
0
#3
There are hips of tools that would acquire the image, but doing it without a good understanding about what you are actually doing is not a good idea and Hagrid is 100% right about it. Just get someone qualified to help you with tis task.
 

Hagrid

New Member
Oct 15, 2008
18
0
#4
Thank for the comments.

I think that I asked my question in the wrong way. I was trying not to spend a lot of time telling everyone what I know.

What I should have asked, is for someone who does not want to remove the hard disk and use a write blocker while acquiring an image, what is one of the more common ways to create a Windows Boot CD with common utilities needed to use forensically sound means to image a computer.

For example, using BartPE Builder to create a boot cd including utilities such as dd or dcfldd?
 
Dec 31, 2006
3,405
0
#5
Hagrid said:
What I should have asked, is for someone who does not want to remove the hard disk and use a write blocker while acquiring an image, what is one of the more common ways to create a Windows Boot CD with common utilities needed to use forensically sound means to image a computer.
To my knowledge there is no way to create a forensically sound boot CD of Windows. That is not to say that you cannot use BartPE to make your own custom version of Windows that includes dd, just that you need write blockers when working with the Windows OS. Hence all the suggestions about Helix.
 

Hagrid

New Member
Oct 15, 2008
18
0
#6
I'm testing HELIX's Live Acquisition mode now. Is it safe to say that HELIX cannot or does not perform any "write blocking" when imaging in Live Acquisition mode?

And can I boot on HELIX to acquire an image and HELIX will use a software "write blocker"? Any clarification would help and I'm planning to read more about HELIX in the coming days.

Thanks again for your time.
 

dthstker

New Member
Aug 4, 2008
246
0
#7
You are correct. The live acquisition will not perform any write blocking, leaving the data vulnerable to contamination/corruption.

The linux boot side of the Helix disk loads linux and prevents the hard drives from being mounted. This prevents writes protecting the data.

Don L.
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu