ScotchBroth
New member
Oh, and Paladin is free.
Good Software or Hardware Tool For Field Acquisition
- Thread starter Jared
- Start date
lcoughey
Moderator
So, you are using DDI FE to make an image file, right? They tweak the NTFS file system so that it mounts in Windows as read only, as per the request of many forensic clients. I've found that this "tweak" doesn't play nice with Windows 10 (and possibly 8), but can be undone by run a quick scandisk using windows 7.ScotchBroth":32ufbefb said:
ScotchBroth
New member
Yes, making a bin image with DDI FE. When I plug the drive in, it can't see the bin file at all. I have to look at it with r-studio or something like it so get the image out usually.
[glow=red]Moderator note:[/glow] If you can't read the thread to see that this is a discussion between data recovery professionals talking about forensic imaging I have no choice but to assume you're just here to SPAM software. Data recovery software developers are more than welcome to discuss their products here, but not to pretend to be end users plugging their programs on unrelated threads.
As an intermediate backup/restore person, as a beginner data recovery [first response level] person, I am interested in learning more about forensic imaging. Obviously FI is different, more complicated, than full imaging with Macrium Reflect or Imaging for Windows, correct? I'd like to learn more from the experiences of others.
When it comes to imaging there are some real differences between data recovery and forensics. In data recovery the goal is always to read out as many sectors as possible from media which is often failing. Even if the hardware is perfectly fine, an image or clone is usually still created to have a backup copy should anything go wrong during the process.
In forensics, you always have to assume that the case might go to court. This means that you'll need to be able to prove that the copy is authentic and hasn't been tampered with. You'll also need to document your exact process so that if your results are questioned another forensics investigator can replicate your same results. So for example when imaging a hard drive, it's usually standard practice to create two copies simoltaneously and to generate checksums for the images. The imaging is logged by the software and checksums recorded in the logs. Then one copy goes with the investigator who's going to analyze the data, the other usually goes to a safe location such as a safe box and is kept inaccessable to the forensics investigator. If anyone questions the evidence found on the drive and insinuates it was put there by the investigator it can easily be proven that it wasn't by comparing the checksum of the data and/or comparing the second copy.
In forensics, you always have to assume that the case might go to court. This means that you'll need to be able to prove that the copy is authentic and hasn't been tampered with. You'll also need to document your exact process so that if your results are questioned another forensics investigator can replicate your same results. So for example when imaging a hard drive, it's usually standard practice to create two copies simoltaneously and to generate checksums for the images. The imaging is logged by the software and checksums recorded in the logs. Then one copy goes with the investigator who's going to analyze the data, the other usually goes to a safe location such as a safe box and is kept inaccessable to the forensics investigator. If anyone questions the evidence found on the drive and insinuates it was put there by the investigator it can easily be proven that it wasn't by comparing the checksum of the data and/or comparing the second copy.