Difference between pages "Strings" and "Disk image"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
 
Line 1: Line 1:
Strings is a program that prints out any [[ASCII]] or [[Unicode]] strings in the input file. Forensic examiners can use strings to get a sense of the functionality of an unknown program. User prompts, error messages, and status messages can give hints, but should not be used as proof or lack or any functionality.
+
A disk image is a full disk copy of the data making up the partition table, file allocation tables and data partitions without regard for operating system.
  
Most [[Linux]] and [[UNIX]] distributions have a strings program included. For [[Windows]] there is a [[SysInternals]] version of strings by [[Mark Russinovich]]. The most recent release was [http://www.microsoft.com/technet/sysinternals/Miscellaneous/Strings.mspx SysInternals strings version 2.30] on 1 Nov 2006. Note that the Windows version searches for both ASCII and Unicode strings by default.
+
A disk image should be made prior to performing any forensic analysis of the disk.  Creating a disk image is important in forensics for several reasons:
  
== External Links ==
+
1. Ensure that disk information is not inadvertantly changed during analysis. 
  
* [http://www.openbsd.org/cgi-bin/man.cgi?query=strings
+
2. By performing an original disk image and storing the original disk, it is possible to reproduce forensic test results with an exact reproduction of analysis methods on the original evidence.
 +
 
 +
3. Disk imaging will capture information invisible to the operating system in use *E.g. hidden partitions, ext3 partitions on a Windows machine, etc.
 +
 
 +
 
 +
== Software ==
 +
 
 +
Popular software used to create disk images includes Norton Ghost.  A raw image (bit-by-bit) copy of the original media should be done using the software, which may not be the default settings on the software. 
 +
 
 +
Other possible software, programs include dd, dcfldd, EnCase, and FTK

Revision as of 10:08, 16 July 2008

A disk image is a full disk copy of the data making up the partition table, file allocation tables and data partitions without regard for operating system.

A disk image should be made prior to performing any forensic analysis of the disk. Creating a disk image is important in forensics for several reasons:

1. Ensure that disk information is not inadvertantly changed during analysis.

2. By performing an original disk image and storing the original disk, it is possible to reproduce forensic test results with an exact reproduction of analysis methods on the original evidence.

3. Disk imaging will capture information invisible to the operating system in use *E.g. hidden partitions, ext3 partitions on a Windows machine, etc.


Software

Popular software used to create disk images includes Norton Ghost. A raw image (bit-by-bit) copy of the original media should be done using the software, which may not be the default settings on the software.

Other possible software, programs include dd, dcfldd, EnCase, and FTK