RE: Using dd.exe to make forensic images of NTFS drives

["Christopher Brown" <[EMAIL PROTECTED]>]

Sakaba,

You may want to investigate ProDiscover IR which is the incident response
and auditing version of ProDiscover DFT. ProDiscover IR will allow live
imaging and analysis of any windows system over the network at an affordable
cost. See http://www.techpathways.com or contact me directly for details or
questions.

Regards,

Christopher L. T. Brown
Technology Pathways LLC
Makers of ProDiscover
[EMAIL PROTECTED]
Phone: 619-435-0906 / 888-894-5500
http://www.TechPathways.com

This email message is for the sole use of the intended recipient[s] and may
contain privileged information.  Any unauthorized review, use, disclosure or
distribution is prohibited.  If you are not the intended recipient, please
contact the sender by phone or reply email and destroy all copies of the
original message.


> -----Original Message-----
> From: Sakaba [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, August 12, 2003 3:15 AM
> To: Reava, Jeffrey [IT/0200]; 'Sakaba'; [EMAIL PROTECTED]
> Subject: RE: Using dd.exe to make forensic images of NTFS drives
>
>
> Thanks Jeff,
>
> I think the best solutions for investigating without downing
> the system
> that I've heard so far are:
>
> 1] Mirror disks if you  have them  - Just pull out and put in another
> machine to examine
> 2] Encase - expensive but can do the job
> 3] Win32 binaries of Sleuthkit - don't have to down the
> system but need to
> copy over files which is annoying



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com