PaulDotCom mailing list archives
foremost and data forensics
From: jim.halfpenny at gmail.com (Jim Halfpenny)
Date: Tue, 19 Jan 2010 15:01:06 +0000
You can image in "realtime" using a tool like FTK Imager. For best results you are best imaging the drive without the native OS running e.g. using a boot CD like Helix since actively using the disk could result in the data you want to recover being overwritten. It's a balance against the value of the data versus the disruption of shutting the machine now. Jim 2010/1/19 Monkey Daemon <monkeywebdaemon at googlemail.com>
So can I image the partition in "realtime" or do I need to take the server off-line and boot from a live cd? MWD.
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100119/27df9261/attachment.htm
Current thread:
- foremost and data forensics Monkey Daemon (Jan 18)
- foremost and data forensics Tim Krabec (Jan 18)
- foremost and data forensics Monkey Daemon (Jan 19)
- foremost and data forensics Tim Krabec (Jan 19)
- foremost and data forensics Carlos Ayala (Jan 19)
- foremost and data forensics Matt Erasmus (Jan 19)
- foremost and data forensics Michael Miller (Jan 19)
- foremost and data forensics Monkey Daemon (Jan 19)
- foremost and data forensics Jim Halfpenny (Jan 19)
- foremost and data forensics Tim Krabec (Jan 18)