Forensic Procedure Part 2

Forensic Procedure part 2

Disc imaging

It is important to note that there are several methods used to produce a forensic image of a hard disk and thus several tools needed to complete these methods.

It is Essential to validate with an MD5 or equivalent check sum. This should be done before the disk is imaged, after the disc imaging process is complete and once the examination has been completed.

What to do before performing the disc imaging process

Need to record the physical disc geometry- which would involve looking at cylinders, heads etc. You should to also record the Logical Book address geometry (which will be covered in a later post).

At no point should the computer be allowed to reach boot stage after being shut down. To prevent this, may be that the analyst has to modify the boot order so that the CDROM boots first.

PCMCIAA ATA controller using DD

Install the controller and then:

           Boot from the CD used to image

           Make a direct entry ifor the drive that will receive the file

           mount second drive to file system

           Use a DD command to copy and then verify with MD5 sum

Note: There are more methods which I plan on adding once I have fully understood this one.

x