I'll second FTK Imager Lite as a free, portable tool, that can do drive imaging, deleted files analysis and extraction, file hashing and the latest version also does memory acquisition. I keep it on a USB key and use it pretty frequently.
Does anyone know something similiar (portable, gui-fied) that runs on Linux? PJ > Date: Thu, 10 Dec 2009 11:14:50 -0500 > From: [email protected] > To: [email protected] > Subject: Re: [Pauldotcom] Digital Forensic Software > > All great advice. I just did some demos for the sysadmins at work on > several Forensic Image packages available. Here's some notes that > might help and save you some time. > > Helix Pro 3 - must purchase > > Easy to use > Can be used as a Live or Bootable CD > Includes hashing capabilities. > Includes a “Receiver” server for receiving multiple images on a network. > Supported on Windows, Mac, and Linux > Support via Forums and Email > Includes auto generated Chain of Custody Forms > > Bootable CD - Marks all mounted drives as read only by default > Live CD - Run from within OS, touchess OS but they have this well documented > > Some notes on using Bootable Option (if you have issues) > > Enable Safe Mode Video (F4) and acpi=off “advanced Configuration and > Power Interface” (F6) on the boot menu. > Note: You Must manually mount destination disk as read/write via interface > > Raptor - free at http://www.raptorforensics.com > > Bootable CD raw image utility based on Ubuntu, interface a bit more > clumsy compared to Helix but it works and it is free > > Dcfldd - free at http://dcfldd.sourceforge.net/ > > Live CD raw image utility - windows or linux -cmd line only > > > Live View 0.7b - free (can convert Image files into a VM) at > http://liveview.sourceforge.net/ > > provides an easy to use interface that can create read only .vmdk from > a raw image or physical disk. > Will disable networking within VMWare auto > Can run a cryptographic checksum on the image before and after booting > to verify the integrity of the evidence > Support for all versions of Windows and some Linux > Supports VMWare Workstation 5.5+ or Server 1.X (does not support Server 2.X > yet) > Can be used with a single image file or split images > > > Also FTK rocks for mounting read only and carving out what you want. > It also has a "lite" version that will run off a USB device > > Hope this helps. > > Tim
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
