9 replies to this topic

[misty]

This is a continuation of a discussion started here. This forum is blessed with both talented and accommodating developers - thanks for your efforts so far - all of you

@erwan.l
If you are up for the challenge of creating a Forensic imaging tool then I'd suggest that you look at Colin Ramsden's Write Protect Tool (WProtect.exe - see here) as a starting point. Colin has done a simply amazing job of packing such a large amount of features into such a small (40 kb!) application. If you could create a tool with similar features + imaging capabilities that could be run as a shell - I might just kiss you. Provided you are ever in my neighbourhood. In which case I'll be out until you leave

My wish/feature list would be -

• Dependancy free for use in WinFE
• A warning if you close the program as this will end the WinFE session if it's being run as the shell (e.g. Are you sure you want to end this session? YES/NO)
• Commandline support to set all disks as offline and readonly - to be used in winpeshl.ini
• Option to toggle read/write so that the evidence disk can be saved to external media - which would not be possible if the disk write protection can't be removed
• Mount selected drive(s) - allocating a drive letter
• Launch cmd.exe (for advanced usage - maybe hide)
• Add drivers for unsupported hardware
• Image (preferably with compression option(s)) to file
• Option to capture whole disk or volume
• Hash check to verify image against disk/volume captured
• Mount disk image
• Remove everything else not required for imaging

I can but dream!

Regards,

Misty

[erwan.l]

Hi Misty,

 

I happen to travel a lot in UK actually (I work for UK company) so be careful what you wish for

 

About wprotect, I took a look and apart from the "add driver" button, you should find all other functions in CloneDisk already.

 

-Dependency free : should be the case already but I need check for real

-Warning when closing : i can think of it.

-Command Line support : there already but I need to refresh/review it.

-Toggle read/write & offline/online : already there, I just need to add it to the command line

-Mount drive : you mean assign a letter to a volume. Already there but lost in the advanced tab

-Launch CMD : easy

-Add drivers : not so easy ...

-Imagind : already there (I use WIM for compression)

-Whole disk or volume : already there

-Hash : indeed, it should be part of CloneDisk for a while actually. easy.

-Mount image : i could but there are so many excellent tools out there I am not sure I should go that path

-Remove everything else : I could make a "lite" version of CloneDisk very easily

 

So not a dream but pretty close to reality actually

 

Cheers,

Erwan

 

PS : can I trade a kiss for a beer?

[misty]

Hi erwan.l,

I am already thinking of retracting my offer - however a beer would be a very acceptable alternative - and probably a lucky escape for both of us!

I was aware that a number of the features I suggested are already available - the advantage of a forensic focused build could be an opportunity to make them easier to find as so many of the other features would not be required and could be removed from the GUI.

And (limited) driver support could be easier to implement that you think as you could merely use a wrapper to launch drvload.exe - I'm not sure if this is included in all WinPE versions, but can check if you want.

Thanks for the response and your time and efforts.

Regards,

Misty

[Wonko the Sane]

If I may make a wish, supplemental to that above, it would be the possibility of doing a MD5 hash of the whole disk minus the first sector.

And we also need (but this is off-topic) a grub4dos executable (or batch ) capable of MD5 hashing a single sector.

 

 

Wonko

[erwan.l]

@Misty : about imaging : what is to achieve exactly?

 

If it is to view and/or extract files from a img/wim/iso/vhd etc, then actually my code is ready.

I was to add to it to CloneDisk but the featuritis discussion with Wonko got me thinking twice before adding an extra feature (again ).

 

Regards,

Erwa,

[misty]

@Misty : about imaging : what is to achieve exactly?

In regards to forensic usage then it would be to capture the contents of a disk to a file - preferably a raw type disk image (with optional compression - WinHex for example gives the option of saving as a SPARSE file or as NTFS compressed). Raw type disk images offer compatibility with a wider range of software and will also include deleted files and unpartitioned space. I doubt that the wim format would be of much use in forensics due to it being a file based backup method - deleted files and unpartitioned space may contain evidence that would be lost. A fixed type vhd might be ok as it's easy to mount in Windows 7 upwards and if memory serves the header can be removed to allow it to be mounted as a raw disk.
 

If it is to view and/or extract files from a img/wim/iso/vhd etc, then actually my code is ready.

That would be an added bonus
 

...I was to add to it to CloneDisk but the featuritis discussion with Wonko got me thinking twice before adding an extra feature (again ).

Didn't Wonko actually ask you to add some features recently - here

Regards,

Misty

[erwan.l]

Added a md5 hash function in latest version (will add a "skip 1st sector" later on).

 

Also, in config.ini, the ability to add a parameter to hide (for good) the advanced menu.

Idea it simplify (first steps of several to come).

 

Next version, still thru the config.ini, will enable one to show/hide each feature currently on the right side thus stripping CloneDisk to his own need.

[Wonko the Sane]

 
Didn't Wonko actually ask you to add some features recently - here

Sure he did (and BTW he asked for a lot of features in the past, specificallly for Clonedisk) .  It is a common way to diagnose featuritis, a technique that we highly specialized technicians call in jargon, "Bait 'N' Wait".

I am pretty sure that there is nothing bad in having more features, the issue/difficulty is only - often - how to integrate more than a few of them in an interface that it is "ergonomic" or "intuitive" (which does not necessarily mean "easy" or "for the dummies" or "no features").

I would say that managing to make *any* app "user friendly" in such a way is one of the most difficult part of writing a program, erwan.l (set aside his abilities in the "pure" programming part) has made a very nice app , but "with great power comes great responsability" (and no this is not a Spiderman quote , it's pure Voltaire, a most respected Erwan.l's fellow countryman )

 

 

Wonko

[erwan.l]

In latest version on can disable pages and/or buttons in the right side (outlook) bar.

 

With the config.ini below, I strip CloneDisk to its bare minimum : backup / restore / clone, all other pages and buttons are gone.

The advanced screens are also removed from hide_advanced=1.

 

That leaves 3 possible actions only versus the over 60 possible actions originally.

[options]
hide_advanced=1
[outlookbar]
;you can disable a page
volume=0
disk=0
virtual disk=0
;or you can disable buttons
copy files=0
backup to devio=0
restore from devio=0

Attached Files

•  clonedisk_min.png   167.21KB   0 downloads

[misty]

Hi Erwan,

Sorry for the slow response. Thanks for the work so far done - it looks very promising. I am hoping to start some testing after the bank holiday as I'm away at the weekend with the family. I was planning on waiting until I have enough storage space to test actual hardware, however Wonko has been putting me straight on the merits of using disk images for testing disk imaging!


 

...It is a common way to diagnose featuritis, a technique that we highly specialized technicians call in jargon, "Bait 'N' Wait".