[Pauldotcom] foremost and data forensics
Jim Halfpenny
jim.halfpenny at gmail.com
Tue Jan 19 15:01:06 UTC 2010
You can image in "realtime" using a tool like FTK Imager. For best results
you are best imaging the drive without the native OS running e.g. using a
boot CD like Helix since actively using the disk could result in the data
you want to recover being overwritten. It's a balance against the value of
the data versus the disruption of shutting the machine now.
Jim
2010/1/19 Monkey Daemon <monkeywebdaemon at googlemail.com>
> So can I image the partition in "realtime" or do I need to take the
> server off-line and boot from a live cd?
>
> MWD.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100119/27df9261/attachment.htm
More information about the Pauldotcom
mailing list