PRODISCOVER BASIC SIZE ISO
ISO 27001 Lead Auditor Training And Certification ISMS.Certified Application Security Engineer | CASE.Certified Application Security Engineer | CASE Java.Certified Threat Intelligence Analyst | CTIA.Computer Hacking Forensic Investigator | CHFI.
EC-Council Certified Chief Information Security Officer | CCISO.EC-Council Certified Incident Handler | ECIH v2.Certified Ethical Hacker (CEH) Version 11 | CEHv11.Just what I need in my spare time, a project to create a spreadsheet on disc size and the various compression sizes in relation to capture times for EnCase images using Linen, FTK Imager, ProDiscover, etc. I really had hoped to find some sort of paper from Guidance (they write papers on everything else) with specifics about the compression of EnCase images. Well actually I have not seen any figures on size savings. Guidance suggest that you could achieve 50% compression 'on average', but your mileage may vary. There is also the consideration where the more compression used the greater the amount of time required for the capture. I was considering rewriting to include EnCase rather than DD as the capture format because of the compression, but have not been able to determine the amount of savings that could be achieved. I had to now not been presented with needing such an exact calculation. The RFP now wants specifics on the amount of space required for the images. My original SoW just had a list of drives slightly larger than the original source drives.
Part of the revised RFP is a calculation of the drive space required for capturing all the machines. I am actually rewriting a Scope of Work in response to a RFP.
PRODISCOVER BASIC SIZE FULL
A wiped 300Gb drive with a basic installation of Windows could give a relatively tiny image, but a 300Gb drive crammed full of data will give a big image. If you are creating an image file using 'dd' you will also need to consider that the storage drive will not take as much data as it says on the tin given partitioning and any file size limits if you segment the image etc (sorry if that's sucking eggs!!)Īs for EnCase images, whether you are using EnCase or FTK Imager you can compress, but there is no ratio that you can work on because it all depends how much data is on the target.
PRODISCOVER BASIC SIZE PLUS
In fact some of the GUI programs that act as front ends for 'dd' also write you a text file out with the details of the acquisition, so for a 300Gb target you will need that amount of space, plus the size of the text file. 'dd' gives you a block by block copy, so will be the same size as the target, unless you pass it through some sort of compression utility. I don't think there is any calculation you can do to work out image size.
0 kommentar(er)
