Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: Adliah
New Today: 0
New Yesterday: 0
Overall: 29360

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Swtor2credits Surper sale II for Thanksgiving:up to 10% off
 Senior Cyber Forensic Incident Response Consultant -Cambs UK
 A question for students and newbies
 E-DISCOVERY & DATA RECOVERY? WHICH ONE IS BETTER?
 Computer Forensic in e-commerce

Computer Forensics World Forums


Pages Served
We received
51302061
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - Software / Target HD Question
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Software / Target HD Question

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Forensic Software and Tools
View previous topic :: View next topic  
Author Message
Irishd08
Newbie
Newbie


Joined: Feb 04, 2013
Posts: 4

PostPosted: Sat Feb 09, 2013 3:21 pm    Post subject: Software / Target HD Question Reply with quote

Hello everyone! If you took the time to read this thanks!

I'm very new to the computer forensic scene (hence the newbie question heh) so thanks for taking the time to read.

Generally speaking, my questions revolves around the best software to use to transmit the data (bit-stream copy) to a larger target drive than the original. In this class I've been taking, the book states that the target hard drive of the forensic copy should be the same. However, I just kind of wanted to purchase a 4 TB drive or something similar to get some hands on experience. Does the target drive *have* to be the same size as the original?

If not, what software is the best for transferring data to a drive that's not the same size, OR if you have some experience in this and could chime in with any challenges you see. Or maybe everything works just fine!

We have labs, but it's not real, you know? I am willing to spend some $$ to get some real experience, but I would like to hear from some people who actually do this.

Thanks for any input!

v/r,

Dylan
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Sun Feb 10, 2013 12:33 am    Post subject: Reply with quote

When you make a bit-for-bit copy of a drive you have to make it to a similar or larger size drive. Almost everyone I know images to a forensic container file such as the Expert Witness Format (often called E01), DD, or similar. Some of these files include compression so you can copy to a smaller drive.

The Forensic Wiki contains information on various tools for imaging. h t t p : / / w w w . forensicswiki . org/wiki/Category:Disk_imaging

For a low cost solution check out Raptor Forensic. They have a free Live CD that can be used to mount a target drive in a forensically sound manner and image the disk. Not all Live CD forensic tools are forensically sound for disk imaging so read up before you dive in.

There are also other (free) live environments you can use to examine the image file once you have the imaged the subject drive. These include SIFT, DEFT, lnx4n6, etc.
Back to top
View user's profile
athulin
Newbie
Newbie


Joined: Oct 19, 2007
Posts: 238

PostPosted: Sun Feb 10, 2013 4:38 am    Post subject: Re: Software / Target HD Question Reply with quote

Irishd08 wrote:
In this class I've been taking, the book states that the target hard drive of the forensic copy should be the same.


Perhaps you would cite your source? It could perhaps be that there is some context involved.

The only situation I can think of where it would matter is when you copy a CHS-addressed disk (with a live file and operating system ) to another CHS-addressed disk, for the purpose of booting it. That could bring on problems if the two drives had different CHS parameters. (Modern disks don't do CHS, so the problem does not really exist anymore.)

Something similar can be seen if you use partitioning tools that assume CHS-restrictions: they will complain that the (copied) partition isn't aligned to cylinder (or track) boundaries.

But for forensic purposes, where you don 'run' the copied data, and using modern forensic tools, I would not expect any problems.
Back to top
View user's profile
Irishd08
Newbie
Newbie


Joined: Feb 04, 2013
Posts: 4

PostPosted: Tue Feb 12, 2013 7:36 am    Post subject: Re: Software / Target HD Question Reply with quote

athulin wrote:
Irishd08 wrote:
In this class I've been taking, the book states that the target hard drive of the forensic copy should be the same.


Perhaps you would cite your source? It could perhaps be that there is some context involved.



Sure athulin, I would be happy to.

What I was concerned about and the reason I posed the question was when they stated, "To create an exact image of an evidence disk, copying the image to a target disk that's identical to the evidence disk is preferable. The targer disk's manufacturer and model, in general, should be the same as the original disks's manufacturer and model" (Philips, Nelson, & Steuart, 2009).

When going through it in my head it makes total sense because the bit images would line up, but out in the real world, who in the heck would possess literally hundreds of hard drives to match? I mean, I guess you could if you had the budget! Smile I thought there was a better solution and reading the replies, I understand it much better.

Thank you for the replies, it's greatly appreciated!

References:

Philips, A., Nelson, B., & Steuart, C. (2009). Guide to computer forensics and investigations (4th Ed ed.). Boston, MA: Cengage Learning.

(APA - that's what we use at my school)
Back to top
View user's profile
athulin
Newbie
Newbie


Joined: Oct 19, 2007
Posts: 238

PostPosted: Wed Feb 13, 2013 2:13 am    Post subject: Re: Software / Target HD Question Reply with quote

Irishd08 wrote:
What I was concerned about and the reason I posed the question was when they stated, "To create an exact image of an evidence disk, copying the image to a target disk that's identical to the evidence disk is preferable. The targer disk's manufacturer and model, in general, should be the same as the original disks's manufacturer and model" (Philips, Nelson, & Steuart, 2009).


It's on p. 47 in the 4th ed., and in my copy (which is 3rd edition) it's on p. 52. This is part of the 'Understanding Computer Investigations' chapter, and the section 'Conducting an Investigation', which is an overview of the area.

The main text covering acquisition is (at least in ed. 3) chapter 4, and particularly the subsection 'Determining the Best Acquisition Method' where there is, as far as I can see, no similar statement, only that disk-to-disk is an alternative.

But note that the book does not say 'must', only that it is 'preferrable'. That could be for other reasons that purely technical -- the authors may, for example, have found that copies to identical disks leave less opportunity for a jury to get confused over.

You might call it to the authors' attention, and ask if there is any particular reason for the difference.
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Wed Feb 13, 2013 3:49 am    Post subject: Reply with quote

To further what athulin wrote, (my reference is also the 3rd Edition page 52) the information in the "Understanding Bit-stream Copies" section:

Occasionally, the track and sector maps on the original and target disks don't match, even if you use disks of exactly the same size that are different makes or models. Tools such as Guidance EnCase, NTI SafeBack, and DataArrest Snap-Copy adjust for the target drive's geometry. Two other tools, X-Ways WinHex Specialist Edition and Technology Pathways ProDiscover, can copy sector by sector to equal-sized or larger disks without needing to force changes in the target disk's geometry.

I think a lot of this goes back to Digital Evidence and Computer Crime (2004) by Eoghan Casey and even File System Forensic Analysis (2003) by Brian Carrier.

Casey wrote in reference to a bitstream copy made using dd (page 295):
There are some nuances to copying a UNIX disk in this way that are worth mentioning. By default, dd assumes that each sector on a disk is 512 bytes. Copying large disks in 512 byte segments is inefficient and may cause confusion when copying tapes with interblock gaps. Also, when UNIX creates a file system on a disk, it takes into account disk geometry (recall cylinder/block groups). Therefore, if the two disks have even a slightly different geometry, a computer may not be able to find and boot the operating system from the new hard disk because it will be in a slightly different location on the disk. However, although the new disk will not be bootable, it will still be mountable and can be examined using another UNIX system.

I know that with some of the earlier hardware duplicators like the Logicube Forensic SF-5000u there were issues when trying to copy to a similar size disk by a different manufacturer as not all manufacturers report size the same way. If you used a disk from the same manufacturer either the same size or larger the duplicator worked fine. (If the drive was larger the Logicube "padded" the copy with zeros if I recall correctly).

If your "bit-stream copy" is an image file rather than a disk-to-disk bitstream copy there will not be any issues if copying to a larger disk (or network storage, etc).
Back to top
View user's profile
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> Forensic Software and Tools All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.