![[-]](https://www.aiowares.com/images/collapse.png "[-]")
11-27-2019, 05:10 PM
First step is to create a clone to be sure the information over the original disk remain untouched, so we will use the clone disk for all the forensics operation we will do. For make a clone there are Linux distros made for that operation like Deft or CAINE(this distro is used from law enforcement). You can use also any Linux distribution but why relay on a not specific distro? That two I mentioned are free and have the option to mount a disk how read only and most important is the possibility to use them without installing because they can be used from live. Here there are the officials sites:
Why do you need a clone? Simple. You need a clone because in that way you can do all the forensics tasks and if something went wrong you will not make the evidence invalid for the court. The evidence is useless if you can't use it in court.
Code:
CAINE:
https://www.caine-live.net/
Deft:
http://na.mirror.garr.it/mirrors/deft/
http://na.mirror.garr.it/mirrors/deft/zero/ (This is the updated version of the distro)
Demonstration of the use of guymager:
https://www.youtube.com/watch?v=OzfpSILHuhQ
