A quick hint for a lazy Friday afternoon (actually I just finished analyzing and correcting a corrupt FAT table on a forensic image, so I’m not being lazy, I’m just tired :)):
Most forensic investigators generally acquire drive images to some sort of image file (i.e. RAW, etc). However, there may come a time when you need to provide a copy of the image on an actual drive (perhaps you need to give a copy of the image to a lawyer/client that doesn’t know how to deal with RAW image files) or you may, for convenience sake, decide to acquire an image directly to a spare hard disk that you have available. In order to prevent residue that’ll send you (or another investigator) down the road chasing your own tails, make sure to zero out your target drive prior to using it as a target for imaging (unless, of course, your image fills the entire drive completely). An easy way to do this on a Linux system is (replace <drive> with your target drive identifier, once attached):
dd if=/dev/zero of=/dev/<drive>
Have a fun and safe Memorial Day weekend!
Leave a Reply