Announcement

Collapse
No announcement yet.

OSFClone artifacts

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • OSFClone artifacts

    Hi,

    I apologize if this question has been already been answered but my search of the forum didn't turn anything up. I'm interested in using OSFClone to create a forensic image that can stand up to a court challenge.

    If I boot a subject computer with OSFClone, what artifacts, if any, will doing so leave on the subject computer drive?

    Thank you,
    Mark

  • #2
    OSFClone uses Tiny Core Linux as the base OS. During boot, Tiny Core Linux does not automount any connected drives on the system. When imaging, you specify a source drive/partition and a destination location. The source will be mounted as Read Only and the destination will require it to be mounted with write permissions. So in theory, as long as your destination drive is not one of your subject's computer drive, there should be no artifacts left.

    However, if you are serious or concern about contamination of the evidence, you would be best to invest in a physical write blocker.

    Comment


    • #3
      I have a write blocker and use it when I can remove a subject for imaging. Unfortunately, there are some situations where I can't remove the drive and need to acquire the image by booting from a flash drive. When doing so, there is a need to know the impact of booting from the flash drive, so your information is helpful.

      Thank you,
      Mark

      Comment

      Working...
      X