Home > Computer forensics, incident response > The ultimate collection kit.

The ultimate collection kit.

So, there I was …. Or, in other words, once upon a time. Or, …. Anyhow, I’m off doing a really “interesting” collection job. Its a mix of ediscovery and forensics, with all the typical issues – custodians available only for a day, unexpectedly large hard drives, systems that cannot come down at all, 3 Sony Vaios with just one power cord, etc. And, par for the course, no real idea of what I’m getting into prior to showing up on site, despite efforts to gather information. So, what made this fun collection rather than a nightmare? The ultimate collection kit:

  1. WinFE with FTK Imager, IEF, and X-Ways. This successfully imaged a Vaio laptop with dual SSDs in a RAID configuration without a hitch.
  2. Tableau TD1 – if this thing would write to multiple destination drives simultaneously, I’d kiss it. Even without the dual destinations, it is a rock solid imaging solution. (Bring a USB keyboard to make things a bit easier.)
  3. FTK Imager CLI – Ok, I know how to use dd and its brethren, but FTK is a bit more full featured, and being able to use one software tool across all the platforms was great.
  4. FTK Imager – FTK Imager doing logical folder collections made packaging the loose files very easy. And, again, one software tool.
For live collection from Macs, I’m using a 750GB external drive with FTK Imager CLI on it. Davnads has a nice writeup on how to use the CLI. (Note: ftkimager requires double hyphens ‘–‘ and not single hyphens, as shown in his article, for options.) I could have also used WinFE but live collection was acceptable for this project so that’s what I went with.
In the future, I’d prepare all of the external collection drives with FTK Imager Lite (standalone), FTK Imager CLI for all platforms, and TrueCrypt. This would let me do live collections from any platform. Add WinFE with FTK Imager and TC and I should be able to acquire any system, live or forensically sound, without popping the drive out. I will be limited to external interface speeds though, so these solutions are best for overnight collections.


WinFE is a forensically sound WinPE configuration. Brett Shavers did nice writeup on configuring your own WinFE setup. The high points of WinFE, for me, are:
  • It will boot any Intel system, including Macs.
  • It is forensically sound
  • It is (relatively) easy to add your own tools
I have mine set up on 8GB thumb drives using Windows 7 Pro as a base. They include FTK Imager, X-Ways, and IEF at the moment. A friend has figured out how to add EnCase and I want to include TrueCrypt and an AV solution as well.
Bear in mind that the tools you use must be able to access the physical drive. If they cannot, then you need to bring the drive online using diskpart. Doing so will make a 4 byte change to the drive in non-user space.
If you’re adding a drive to store imaging results, you also need to use DiskPart to make it available. (The following is lifted from Brett’s documentation – A User’s Guide to WinFE)
> diskpart (to run DiskPart)
> list disks (to see the media connected to the system)
> select disk “N” (where “N” is number of your destination drive)
> online disk (to bring the disk online)
> attributes disk clear READONLY (to allow writing to the disk)
> list volume (in order to choose the volume on the destination disk to write)
> select volume “V” (where “V” is the volume number to your destination disk)
> attributes volume clear READONLY (to allow writing to the volume)
> assign letter=Z (any letter you choose, to which your image will be written

Of course, there are all sorts of other things in my collection kit – two Pelican cases full of stuff, in fact, but everything mentioned here will fit in one case and will allow you to handle quite a bit of what might be thrown at you.

  1. May 1, 2011 at 1:50 am

    Thanks for sharing; I’m glad to know we’re not the “only” ones going in to a collection blind. 😉

    We also have a tailored set of software we take with us on collections. This travels on the small unencrypted partition of our drives (we also have on thumbdrives and such as well). Truecrypt, dcfldd/netcat/md5deep, FTK Imager Lite (working on testing & adding CLI), copy utilities, and other portable utilities such as putty, some NirSoft, SysInternals, etc. We also have a customized live Linux distro (Ubuntu based) for imaging.

    I agree on the TD1; it’s pretty sweet. Obviously, you’re liking WinFE. How does it compare for speed & stability to a lean Linux CLI-only environment for imaging?


    • May 1, 2011 at 2:23 am

      WinFE has been remarkably stable so far and its driver support using just a standard Windows 7 Pro for a base has been excellent. The occasional driver problem I’ve run into with Helix et al was frustrating and were my primary reason for trying WinFE. I lack experience building custom lean Linux tools so I cannot really speak to that.

      The only speed issue I’m aware of is due to the native hardware. WinFE is as fast as Windows 7 would be on whatever hardware it is running on.

      One advantage of WinFE over a Linux CLI solution is for those sleep deprived moments – it lets me run full GUI versions of FTK Imager, X-Ways, etc. As Brett mentions in his blog, this makes it a good platform for building triage tools for first responders as well as for me in my sleep deprived moments.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: