Good Software or Hardware Tool For Field Acquisition

[Jared]

Anyone care to recommend a good tool used for field acquisition of a HDD in the field that is forensically sound? I have a customer who wants to pay me to drive two hours away to image a drive and attempt recovery. I already know lawyers are involved, and I keep telling them I'm not a forensics person, but they are very insistent.

I know a million ways to make a perfect clone, but just in case this does turn into an investigation later I'd rather err on the side of caution and do it all forensically sound right now.

 

[jol]

What about rapidspar ?

 

[pclab]

FTK imager is not good enough?

 

[lcoughey]

What about rapidspar ?

Not a bad idea. Embed the cost of a new RapidSpar unit into your price quote, but be sure to include the Data Acquisition add-on.

 

[Jared]

FTK imager is not good enough?

I was actually leaning toward this one. I like that it'll generate an Encase image file and calculate checksums. Do you happen to know if it can then convert the E01 file to a RAW image for me to work with in finding the lost data?

 

[Jared]

What about rapidspar ?

Not a bad idea. Embed the cost of a new RapidSpar unit into your price quote, but be sure to include the Data Acquisition add-on.

Does RapidSpar have a forensics mode where it'll calculate checksums?

Edit: I see it does seem to have a Data Acquisition Add-On: http://rapidspar.com/forensics.html
Anyone know how much this addon costs? I know the RapidSpar itself is around $2000

Double Edit: Found their prices page: http://rapidspar.com/forensics.html

 

[Amarbir[CDR-Labs]]

What about rapidspar ?

Not a bad idea. Embed the cost of a new RapidSpar unit into your price quote, but be sure to include the Data Acquisition add-on.

Luke Sir ,
I am still dying to get some feedback from you for rapidspar ,I know you are a super busy man appreciate if you could shed some light at least now

 

[ScotchBroth]

I know I'm late to the party. But how'd it go? I have tons of tips for you depending on the state of the drive. You're likely done already, but I'm just wondering.

 

[Jared]

I know I'm late to the party. But how'd it go? I have tons of tips for you depending on the state of the drive. You're likely done already, but I'm just wondering.

It didn't turn out to be a case where it really needed to be forensically sound. It was evidence for a criminal case, but since we were just looking for video to try to prove the defense (not offense) it didn't have to be handled following any particular procedures. So I ended up just dd'ing the HDD to an image file on an external.

Was a wild goose chase anyway. They weren't even sure if the video was ever saved on this computer. If it had been would have been just for a minute before copying to a thumb drive. And the computer was in use for nearly six months since then, :roll: .

 

[ScotchBroth]

If it had been would have been just for a minute before copying to a thumb drive. And the computer was in use for nearly six months since then

Bah, I hate that.


Anyways, Paladin from Sumeri Forensics is a good bootable forensic imager. Good for PC and Mac. gotta be quick on the draw though with some bootup menus

Speaking of forensic imaging, does anyone use the DDI forensic addon? Whenever I do to make a DD of a drive the NTFS filesystem is undetectable by windows. I'm not certain why (I haven't dug into it really) Just wondering if anyone's experienced it and has a fix.