What are the means to take a disk image when investigating incidents?

S

SkyNezu2016-10-17 09:51:01

Information Security

SkyNezu, 2016-10-17 09:51:01

Hello colleagues.
Let's imagine a situation. An incident has occurred. The person does not want to make contact and denies everything. The process is essentially simple: we seal the PC (hard drive, etc.) in front of witnesses, take an image of the RAM and hard drive, look for evidence, document everything and punish ourselves or go to court with it.
And here a number of questions arise:
1. How to take an image of a hard disk for further investigation?
Is it necessary to use hardware write blockers, or can I get by with some LiveCD distribution?
2. How to take an image of RAM for further investigation?
3. If the case goes to court, then it is necessary that the results of the investigation be accepted by the court. What software should be used for this?
Anyone with experience in similar incident investigations, please share your experience.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

A

athacker, 2016-10-18
@athacker

Have a look here: https://forensiccontrol.com/resources/free-software/
About RAM impressions - it's not that simple, but you can look here: www.forensicswiki.org/wiki/Tools:Memory_Imaging

G

Gleb Gryadk.in, 2016-10-17
@Gryadk_in

3. = "Providing evidence by a notary" ?

A

Alexander, 2016-10-17
@NeiroNx

WinHEX can do both, but you have to buy a license.