If you have access to hardware imaging devices, but only have a few compared to a large data collection, consider booting your suspect/custodian machines to WinFE and image directly to your destination drives. No matter how fast your expensive hardware imaging device is, the more computers you have to image, the faster it is to boot to WinFE on each machine and have them image, all running at the same time….hardware imaging doesn’t beat that speed unless you have LOTS of hardware imagers.
Once booted to the WinFE environment, the destination drive of your image must be set using DiskPart. These commands are detailed in the paper, “The (Nearly) Perfect Boot CD“. Be prepared for a GUI being developed now, for those that rather push a button than type a command (I’m one of those people sometimes..). Once the destination drive is set with DiskPart, imaging the host computer (suspect or custodian) is made easily possible using any of the forensic imaging applications you have installed on the CD/USB. These can include Encase, X-Ways Forensics, FTK Imager, ProDiscover, or other forensic applications that can run in the WinFE environment.
Boot the Suspect/Custodian Machine to WinFE
Consider injecting eSATA drivers into your WinFE. Adding an eSATA card to a desktop or laptop can dramatically increase your imaging speed, nearly to the speed of a hardware imaging device. For computers with limited open USB/Firewire/SATA ports, having the ability to add them quickly and easily can save you a great deal of hassle when trying to plug in your external drives. The only limit would be your imagination to how to connect external devices for which to image your drive out for storage.
 |
 |
Boot Your Forensic Machine to WinFE
As WinFE is a minimalist version of your full-fledged Windows OS, it will more than likely run a bit faster than your forensic workstation. After all, there probably are lots of programs and processes running each time your forensic machine is on, many of which you don’t need but are slowing up your machine (and giving one more reason for Windows or a program to crash when you really don’t need it crash). An option to using your imaging tools with WinFE, but using your forensic machine would be to boot your forensic machine to WinFE and connect your evidence drive (you can use a write blocker or not), and image to your storage device or network. This would allow for using your trusted hardware at the fastest possible use of your OS (WinFE).
Even another option, is to place a clean storage drive in your forensic machine, boot to WinFE, and image the suspect/custodian drive (with or without a hardware write blocker) to the sterile hard drive in your forensic machine. This may be an option for when the suspect/custodian machine does not allow for connecting any devices or perhaps you want to limit the number of devices connected through USB/SATA and image directly to an internal drive.
