Results 1 to 10 of 10
  1. #1
    4 Star Lounger
    Join Date
    Jan 2001
    Location
    Tacoma, Washington, USA
    Posts
    431
    Thanks
    0
    Thanked 3 Times in 3 Posts
    I need to make a complete copy of a hard drive for the purpose of preserving evidence. We're not asked to produce it right now, but there's the potential we may need to produce it. I'm looking for what would the fastest, least expensive method to get that duplicated.

    It's a 2001 Gateway computer running Windows XP Home. The hard drive is 75GB with just under 30GB used. I can't installed anything on this computer's hard drive so whatever I do it can't disturbed the hard drive.

    I have a 32GB flash drive. Can that be used somehow? If so what software will I need to buy? Just be aware that I can't install it on the computer with the hard drive to be copied.

    I have one day to come up with the solution, but I think I can ask for a second day if I need it.

    Have I bitten off more than I can chew?
    Daisy

  2. #2
    Plutonium Lounger Leif's Avatar
    Join Date
    Dec 2000
    Location
    U.K.
    Posts
    14,010
    Thanks
    0
    Thanked 0 Times in 0 Posts
    [quote name='ailios' post='789822' date='19-Aug-2009 21:25']I need to make a complete copy of a hard drive...[/quote]
    Is this the root drive of the pc, i.e. with all the operating system files on it?
    If so, do you need to capture that, as well as things like the registry, as well?

    If it is a 'second' drive with just data on it, you could probably get away with a direct copy. If it is the root drive, I suspect you will need some dedicated software to clone it.

    BTW, I wouldn't consider a flash drive to be in any way reliable as far as preserving evidence is concerned. You may find a cheap USB backup drive with built-in backup software the cheapest and easiest option. You'd be able to re-use it in the future for other purposes too.

  3. #3
    4 Star Lounger
    Join Date
    Jan 2001
    Location
    Tacoma, Washington, USA
    Posts
    431
    Thanks
    0
    Thanked 3 Times in 3 Posts
    It is the root drive and I do need to preserve it all. I have my doubts about the USB drive when I was at the store during lunch but, darn, they had a great sale. . . I'm gonna head back now to get what I originally went for - a hard drive and external USB drive enclosure.

    I found a link to something called FTK Imager Lite which sounds promising. Have you hard of it? I've downloaded it to poke at when I get back.
    Daisy

  4. #4
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts
    This is only a very brief outline of what you need to do. If this is evidence of any real significance then it may be better to pay an expert to do the job for you. You may want to search the Internet for forensic copy of hard drive and read some of the articles you find.
    1. If the computer is currently shut down then DO NOT start it up
    2. If the computer is currently running then POWER IT OFF without running shutdown
    3. Take out the disk drive
    4. Buy another hard disk of the same size as the one you need to copy
    5. Find another computer that is able to physically connect both of the disk drives
    6. Install software capable of doing a SECTOR by SECTOR copy, that will copy all the unused space on the disk as well as the files
      • For example Acronis TruImage
    7. Connect both disk drives to the computer where you just installed the copy software
    8. Make a sector by sector copy of the disk drive
      • BE VERY CAREFUL that you copy in the correct direction and that this is a sector copy and not a file copy or a normal image copy
    9. Shut down the system and remove the disk drives again
    10. Seal the copy in a container and sign your name and the date across the seal then store it somewhere that you can be sure it won't be tampered with

  5. #5
    Uranium Lounger viking33's Avatar
    Join Date
    Jun 2002
    Location
    Cape Cod, Massachusetts, USA
    Posts
    6,308
    Thanks
    0
    Thanked 1 Time in 1 Post
    [quote name='ailios' post='789830' date='19-Aug-2009 16:58']It is the root drive and I do need to preserve it all. I have my doubts about the USB drive when I was at the store during lunch but, darn, they had a great sale. . . I'm gonna head back now to get what I originally went for - a hard drive and external USB drive enclosure.

    I found a link to something called FTK Imager Lite which sounds promising. Have you hard of it? I've downloaded it to poke at when I get back.[/quote]
    To add to what Stuart outlined, if you get Acronis True Image, you can have it produce a bootable CD ( on another machine ) then boot to the CD on the system that you want to "Image". A true image copy can then be sent to an external HD.
    BOB
    http://lounge.windowssecrets.com/S/flags/USA.gif http://lounge.windowssecrets.com/S/f...sachusetts.gif


    Long ago, there was a time when men cursed and beat on the ground with sticks. It was called witchcraft.
    Today it is called golf!

  6. #6
    Bronze Lounger
    Join Date
    Apr 2001
    Location
    Peterborough, Ontario, Canada
    Posts
    1,450
    Thanks
    0
    Thanked 1 Time in 1 Post
    [quote name='viking33' post='789859' date='19-Aug-2009 19:49']To add to what Stuart outlined, if you get Acronis True Image, you can have it produce a bootable CD ( on another machine ) then boot to the CD on the system that you want to "Image". A true image copy can then be sent to an external HD.[/quote]

    The original drive is the evidence, a copy is a copy. Unless, that is, what you began with was a copy. Some sort of audit trail would help, but in today's world you may find it impossible to keep a lid on it.

  7. #7
    4 Star Lounger
    Join Date
    Jan 2001
    Location
    Tacoma, Washington, USA
    Posts
    431
    Thanks
    0
    Thanked 3 Times in 3 Posts
    The attorney I'm working has been reminded that though I'm the office guru for computers, I'm not a forensic expert. He's cool with that. We don't believe this case will go very far. This is to protect us in the best and least expensive way we have at hand right now before I start to dig for files.

    So I got back yesterday with the smallest hard drive I could fine (160GB) and an external enclosure. I found and followed this article as best I could: http://www.lawtechnews.com/r5/showkiosk.as...ting_id=1560973 I inventories the evidence machine and took photographs before I started. I'm a strong advocate for CYA so I also started a log of each step I took in case I'm called upon to make an affidavit later. I hooked up the external target drive and USB flash drive with the software on it to the evidence computer. The computer wouldn't recognize the external target drive because it was new so I went ahead and initialized it, created the partition and formatted it.

    I then ran the FTK Imager Lite software from the flash drive (so nothign was installed on the evidence computer). I selected the evidence computerís physical drive as the source and the external target drive as the destination. I used the evidence driveís serial number for the filename. I choose E01 as the image type and accepted the default 1500MB image format size. I opted to have a directory tree created of the contents. It took about 15 hours to image and is now running the verification which it says could take another 28 hours (ouch).

    I've never done this before so I'm hoping this is right. I peeked at the external target drive contents and it's loaded with E01 files. How the heck is one suppose to view and access those files? My next step in this crazy plan is to look at the contents of the drive and fish out all data and put that on a large flash drive for the attorney to fish through to find what he's looking for. It's not up to me to make decisions on the data - just make a copy of the drive and then put all data I find on flash drive. Data meaning MS Office docs, images like JPG, PDF files, etc.

    I was hoping to access the copy to pull copies of data from it to the flash drive. I didn't want to pull it from the original hard drive in fear it might be too disturbing. Plus I need to get this computer back to the client. No, the attorney doesn't want to keep their original hard drive. That's why I'm making the copy first. If I can't access the E01 files to look for what I need, maybe I make a folder on the external target drive and pull copies of data off the original hard drive?
    Daisy

  8. #8
    Uranium Lounger viking33's Avatar
    Join Date
    Jun 2002
    Location
    Cape Cod, Massachusetts, USA
    Posts
    6,308
    Thanks
    0
    Thanked 1 Time in 1 Post
    [quote name='peterg' post='789880' date='20-Aug-2009 00:55']The original drive is the evidence, a copy is a copy. Unless, that is, what you began with was a copy. Some sort of audit trail would help, but in today's world you may find it impossible to keep a lid on it.[/quote]
    An Image is an Image. A Copy is a Copy. Big difference between an image and just a copy. With an image, it is an EXACT duplicate of the drive. A copy can be a selective copy of some files.
    However, the OP says he wanted to make a COPY?
    BOB
    http://lounge.windowssecrets.com/S/flags/USA.gif http://lounge.windowssecrets.com/S/f...sachusetts.gif


    Long ago, there was a time when men cursed and beat on the ground with sticks. It was called witchcraft.
    Today it is called golf!

  9. #9
    4 Star Lounger
    Join Date
    Jan 2001
    Location
    Tacoma, Washington, USA
    Posts
    431
    Thanks
    0
    Thanked 3 Times in 3 Posts
    [quote name='viking33' post='789997' date='20-Aug-2009 10:24']However, the OP says he wanted to make a COPY?[/quote]

    I didn't do the best to describe the project originally and I'm learning as I go along. I need both an image and a copy. An image to preserve for evidence. And then a copy of data files for handling and distributing, whether I pull that copy from the original hard drive or the image of it. The attorneys needs the copy to pick out what needs to be produced. The image would only be used if the case progressed to that point which, of course, we hope won't happen. It contains too much information unrelated and unnecessary for production.
    I had to turn off the evidence computer's monitor. Kept watching to see if the estimated time would speed up. Sure which this computer wasn't so old and slow. 68 hours remaining on the verification.
    Daisy

  10. #10
    Administrator
    Join Date
    Mar 2001
    Location
    St Louis, Missouri, USA
    Posts
    23,592
    Thanks
    5
    Thanked 1,059 Times in 928 Posts
    [quote name='ailios' post='789968' date='20-Aug-2009 10:34']I've never done this before so I'm hoping this is right. I peeked at the external target drive contents and it's loaded with E01 files. How the heck is one suppose to view and access those files? My next step in this crazy plan is to look at the contents of the drive and fish out all data and put that on a large flash drive for the attorney to fish through to find what he's looking for. It's not up to me to make decisions on the data - just make a copy of the drive and then put all data I find on flash drive. Data meaning MS Office docs, images like JPG, PDF files, etc.

    I was hoping to access the copy to pull copies of data from it to the flash drive. I didn't want to pull it from the original hard drive in fear it might be too disturbing. Plus I need to get this computer back to the client. No, the attorney doesn't want to keep their original hard drive. That's why I'm making the copy first. If I can't access the E01 files to look for what I need, maybe I make a folder on the external target drive and pull copies of data off the original hard drive?[/quote]

    Usually the imaging software will allow you to explore the image. You should be able to see the actual folder/file structure and extract what you need.

    Joe
    Joe

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •