WIM image for Forensic?

54 views
Skip to first unread message

Dejan Kraljevski

unread,
Nov 18, 2012, 8:08:45 AM11/18/12
to datarecovery...@googlegroups.com
Hi,
I just receive a call from company that use WIM images for imaging laptops. Question is it possible to use those images for forensic investigation. Or is it possible with some settings in Windows to create forensic WIM image.
I was searching Microsoft web sites and didn't find the answer.
Thanks in advance.
Dejan

Networks

unread,
Nov 18, 2012, 10:40:00 AM11/18/12
to datarecovery...@googlegroups.com
I will take a swing at this with you. WIM images are file based so no un-deleted data would be collected. Forensic images get deleted data slack space etc its a bit image of every sector on the drive. ( please forgive me if this info is already known ) I will assume they have a master WIM image to image to laptop for each new user to use. I would focus on getting a forensic image of the laptop hard drive itself. Of course you can investigate the master WIM image. I guess more info is needed to better understand the dynamics of this job/

http://en.wikipedia.org/wiki/Windows_Imaging_Format

Jim

Dejan

--
You received this message because you are subscribed to the Google Groups "DataRecoveryCertification" group.
To post to this group, send email to datarecovery...@googlegroups.com.
To unsubscribe from this group, send email to datarecoverycertif...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/datarecoverycertification?hl=en.

Dejan Kraljevski

unread,
Nov 18, 2012, 11:11:46 AM11/18/12
to datarecovery...@googlegroups.com
Thanks for confirming me this one.
They use Deployment Server to make image and then to re image laptops. And procedure works fine but is not suitable for sector to sector imaging.  They will need to implement DD imaging.



Networks

unread,
Nov 18, 2012, 11:36:43 AM11/18/12
to datarecovery...@googlegroups.com
They are using the deployment server to "image" existing machines or just to re-load laptops or desktop computers after a virus or malware infection. I am just trying to get why they need dd images for new image deployments ?

Jim


On Sun, Nov 18, 2012 at 11:11 AM, Dejan Kraljevski <dejan.kr...@gmail.com> wrote:
Thanks for confirming me this one.
They use Deployment Server to make image and then to re image laptops. And procedure works fine but is not suitable for sector to sector imaging.  They will need to implement DD imaging.

Dejan Kraljevski

unread,
Nov 18, 2012, 1:14:20 PM11/18/12
to datarecovery...@googlegroups.com
They will use DD image for forensic cases inside the company.


Reply all
Reply to author
Forward
0 new messages