Archive for April, 2011

The ultimate collection kit.

April 30, 2011 2 comments

So, there I was …. Or, in other words, once upon a time. Or, …. Anyhow, I’m off doing a really “interesting” collection job. Its a mix of ediscovery and forensics, with all the typical issues – custodians available only for a day, unexpectedly large hard drives, systems that cannot come down at all, 3 Sony Vaios with just one power cord, etc. And, par for the course, no real idea of what I’m getting into prior to showing up on site, despite efforts to gather information. So, what made this fun collection rather than a nightmare? The ultimate collection kit:

  1. WinFE with FTK Imager, IEF, and X-Ways. This successfully imaged a Vaio laptop with dual SSDs in a RAID configuration without a hitch.
  2. Tableau TD1 – if this thing would write to multiple destination drives simultaneously, I’d kiss it. Even without the dual destinations, it is a rock solid imaging solution. (Bring a USB keyboard to make things a bit easier.)
  3. FTK Imager CLI – Ok, I know how to use dd and its brethren, but FTK is a bit more full featured, and being able to use one software tool across all the platforms was great.
  4. FTK Imager – FTK Imager doing logical folder collections made packaging the loose files very easy. And, again, one software tool.
For live collection from Macs, I’m using a 750GB external drive with FTK Imager CLI on it. Davnads has a nice writeup on how to use the CLI. (Note: ftkimager requires double hyphens ‘–‘ and not single hyphens, as shown in his article, for options.) I could have also used WinFE but live collection was acceptable for this project so that’s what I went with.
In the future, I’d prepare all of the external collection drives with FTK Imager Lite (standalone), FTK Imager CLI for all platforms, and TrueCrypt. This would let me do live collections from any platform. Add WinFE with FTK Imager and TC and I should be able to acquire any system, live or forensically sound, without popping the drive out. I will be limited to external interface speeds though, so these solutions are best for overnight collections.


WinFE is a forensically sound WinPE configuration. Brett Shavers did nice writeup on configuring your own WinFE setup. The high points of WinFE, for me, are:
  • It will boot any Intel system, including Macs.
  • It is forensically sound
  • It is (relatively) easy to add your own tools
I have mine set up on 8GB thumb drives using Windows 7 Pro as a base. They include FTK Imager, X-Ways, and IEF at the moment. A friend has figured out how to add EnCase and I want to include TrueCrypt and an AV solution as well.
Bear in mind that the tools you use must be able to access the physical drive. If they cannot, then you need to bring the drive online using diskpart. Doing so will make a 4 byte change to the drive in non-user space.
If you’re adding a drive to store imaging results, you also need to use DiskPart to make it available. (The following is lifted from Brett’s documentation – A User’s Guide to WinFE)
> diskpart (to run DiskPart)
> list disks (to see the media connected to the system)
> select disk “N” (where “N” is number of your destination drive)
> online disk (to bring the disk online)
> attributes disk clear READONLY (to allow writing to the disk)
> list volume (in order to choose the volume on the destination disk to write)
> select volume “V” (where “V” is the volume number to your destination disk)
> attributes volume clear READONLY (to allow writing to the volume)
> assign letter=Z (any letter you choose, to which your image will be written

Of course, there are all sorts of other things in my collection kit – two Pelican cases full of stuff, in fact, but everything mentioned here will fit in one case and will allow you to handle quite a bit of what might be thrown at you.