Thursday, November 24, 2011

a couple of newly discovered tools

It's been an extremely busy autumn for me. Whilst running around, I came across a couple of useful tools.

SAFE (System Acquisition Forensic Environment) is Windows PE boot disk with built in software write blocking. I use Enterprise version, which requires a dongle only to start up the environment. The dongle then can be removed to start up the next machine. A bootable USB can also be created with SAFE USB Creator. There are several tolls listed as officially SUPPORTED by ForensicSoft, but plenty of other tools can also run just fine in this environment. To get the ability to image over the network I put F-Response on the Live CD as well and found it to be working rather well.  SAFE has some problems with recognising Unicode file names when opening with OpenOffice for example and some other minor bugs. Win PE is based on Windows 7 32-bit and works well with most hardware.

Another Windows based GUI Forensic Imager has been released in beta. This time from GetData.  It has a very simple interface, works in a portable mode and supports  DD, AFF and E01 image formats. It also converts from one format to another. I wonder if it remains free after it is out of beta.