Home About Us Sign Up Downloads FAQ Contact Us
 
Creating an Image with OSI

..................................................................................................................................................

To create an image with OnScene Investigator, follow these steps:

Connect an external USB hard drive, with the FAT32 file system, to the suspect computer.

The USB drive may be connected either before or after the suspect computer is booted to the OnScene Investigator boot CD. Then click the “Load USB Drives” button and OnScene Investigator will search for and load any USB drives that are found to be connected to the suspect computer.

1

Computer Forensics Experts

Creating an Image with OSI

Previewing PST Files

On Scene Computer Forensics

Copy with MD5 report

Windows Recycle Bin

Computer Forensics For Apple Mac

Viewing the Internet Cache

Registry Hives

Using OnScene Investigator

Using Registry LHF

Down Data Sheet

Uses for OnScene Investigator

Project Roadmap



Find a Reseller

Become a Reseller


Training Certification


 
 
 

Once the external drive you wish to use is recognized and loaded, click the “Copy Image” button. The “Copy Image” window will open and allow you to begin configuring the image parameters.

In the “Copy Image” window…

encase drive
Select the source and destination drives. Under “Suspect Drives” select the drive or partition you wish to image, and under Investigator Drives select the location you want the image copied to.

To select the entire suspect drive select the root item in the tree, shown here as /dev/sda. If you only wish to copy a single partition, select the partition in the list.

Once the drives are selected, you will see the selected items in the “Source” and “Destination” text fields, respectively. With the proper selections made, click “Next” to continue.

You will be asked to confirm that you wish to write to the selected drive.

It is critical to ensure that the destination drive is the external USB drive that you connected, and not a suspect drive that may contain evidence.

confirm suspect image
Once you are sure that you wish to write the image to the selected USB drive, type “YES” in the text field provided and click “Next” to continue.

You will be presented with the Options window to set the basic options for the image.

Encase image options

 Evidence File Name – Enter the file name you wish to use for the image

File Segment Size (MB) – The final image will be a series of smaller files. Select the size (in megabytes) that you want each segment of the image to be.
  File Compression – Set what level of compression you wish to use for this image. Options are:
   none – The image will not be compressed at all. Requires the most space on the destination drive, but obtains the image fastest
   empty_block – Omits any empty blocks that contain the same information, but does not compress the data.
   fast – Omits any empty blocks that contain the same information and compresses the data. Does not compress the data as much as “best”, but completes the image faster.
   best – Omits any empty blocks that contain the same information and compresses the data using the highest level of compression. Saves the most disk space on the destination drive, but requires the most time to complete the image.
Notes – Allows you to add any notes you wish to include regarding the image (optional).
Examiner name – Enter the examiner’s name (optional).

Once you have the options configured as required, click “Next” to continue.

You will be presented with the Advanced Options window to configure further details of the image.

Advanced
 Evidence number – Select or enter the evidence number for this image.
 Case number – Enter the case number for this image
 Start sector – Select the sector of the hard drive that you wish to start the image from.
 Stop sector – Select the sector of the hard drive that you wish to end the image at.
 Block size (Sectors) – Select the number of sectors per block. If you select a portion of the hard drive using the Start and Stop sector options (rather than the partition selection at the beginning of this wizard), you may need to match the block size to that of the source hard drive’s. This is set to 64 by default.
 EWF file format – Select the file format of the image needed for the software that will be used to examine the image. Supports FTK, Encase 2 through 6, EwfX (Encase), Linen5, and Linen6.
 Media type – Select whether the source drive is a fixed or removable drive.
 Volume type – Select whether the source drive is a logical or physical drive.

Show Processing On option will show the image acquire progress on the investigator or suspect screen. If you choose Show Processing On Suspect you can disconnect the investigator computer after the image has begun. The image will continue showing the progress on the suspect computer screen.

Verify after imaging completes will verify the image once the image has been successfully completed.

Once you have the options configured as required, click “Next” to begin imaging.

Once the imaging has begun you will see the status window .

image speed better than a solo3

Once the image has completed the verify image will begin.

Verify by md5 hash

Once the verify has completed clicking the next button will show the image and verify details.

encase report on image

Clicking the report button will allow you to save the information to a file

image report

 
Home I Site Map I About Us I Help I Terms & Conditions
Copyright 2007 www.forensicsmatter.com All Rights Reserved.