Categories

Archives

Cyber Forensics

How to Create Forensics Image of PC using R-Drive Image

R-Drive Image is a potent utility providing disk image files creation for backup or duplication purposes. A disk image file contains the exact, byte-by-byte copy of a hard drive, partition or logical disk and can be created with various compression levels on the fly without stopping Windows OS and therefore without interrupting your business. These drive image files can then be stored in a variety of places, including various removable media such as CD-R(W)/DVD, Iomega Zip or Jazz disks, etc.

R-Drive Image Features

A simple wizard interface – no in-depth computer management skills are required.

On-the-fly actions: Image files are created on-the-fly, no need to stop and restart Windows. All other disk writes are stored in a cache until the image is created. Data from image files are restored on-the-fly as well, except on a system partition. Data to the system partition can be restored either by restarting R-Drive Image in its pseudo-graphic mode directly from Windows, or by using specially created startup disks.

Image files compression. Image files can be compressed to save free storage space.

Removable media support. Image files can be stored on removable media.

Startup version. A startup version can be used to image / restore / copy partitions locked by the OS. The computer can be re-started into the startup version either directly from Windows, or from an external USB device, a CD/DVD disk, or 6 floppies. The startup version can use either a graphic user interface, or a pseudo-graphic mode, if the graphic card isn’t supported. Support for UEFI boot for modern computers.

USB 2.0 and 3.0 support in the startup version. With hard drives prices constantly going down, an external IDE-USB 2.0 or 3.0 HDD case with an appropriate hard drive is an ideal (fast and reliable) solution for storing backup files for system and other partitions that can be restored only in the startup version. Do not use numerous unreliable CD discs and slow CD/DVD recorders any more. Remember: with the incremental backup, this hard drive is not to be too large.

Network support in the startup version. R-Drive Image startup version supports disk image file creation and restoration over the Microsoft network (CIFS protocol).

Extended List of the supported devices in the startup version. The list of hardware supported by R-Drive Image startup versions has been extende An image file can be connected as a read-only virtual disk. Such disk can be browsed through and files/folders can be found and copied.

Individual files and folders restoration. Individual files and floders rather than entire disk can be restored either during the restoring action or from a image file connected as a virtual disk.

Image files splitting. Drive images can be split into several files to fit a storage medium.

Image Protection. Disk image files can be password-protected and contain comments.

New partition creation. Data from a disk image can be restored on a free (unpartitioned) space on any place on a hard drive. The size of the restored partition can be changed.

Partition replacement. Data from a disk image can be restored on other existing partitions. R-Drive Image deletes such partitions and restores data on that free space.

Disk to Disk copy. An entire disk can be directly copied on another one.

Image files verification. You may check if your image files are good before you store them or restore data from them.

Scheduler. A time for disk image creation may be scheduled and the process can be run in unattended mode.

Script creation for frequent or unattended actions. Such scripts for creating an image file and appending data to an existing image file are created from the R-Drive Image interface the same way the actual action is performed. Scripts are executed from a command line and such command can be included to any command file.

Action Report. When disk image is successfully created or the action fails the report can be automatically sent over e-mail or an external application can be launched.

Support for the ReFS file system (Resilient File System), a new local file system Microsoft has introduced in its Windows 2012 Server. All disk actions are supported, except partition resizing.

Full support for the GPT partitioning layout. R-Drive Image can create GPT disks, resize them, and change their partition layout during copy/restore operations.

Support for Windows Storage Spaces (Windows 8/8.1 and 10), Linux Logical Volume Managervolumes, and MacRAIDs.

First Download R-Drive Image from here and install in your pc

Now open R-Drive Image and click on Create on Image

Select the drive which image you want to create than click on next

You may select all objects on a hard drive by clicking the hard drive icon. . It will show the marked hard drive.

Select the place on the Image Destination panel to which the image files will be written, specify the file name, and click the Next button

If you try to append data to a password-protected image file, the Password prompts. Message will appear. Enter the password and click on next.

Click on NEXT

Verify that the information on the Processing panel is correct and click the Start button

How to Restore Backup

 Click Restore from an Image on the Action Selection panel

Select the file with the image on the Image File Selection panel and click the Next button

Select the object in the image file on the Image Object Selection panel, select a destination, and click the Next button

Now Click on NEXT

Click on start the process of restoring will start and the drive stored in your pc.

Author: Mukul Mohan is a Microsoft Certified system engineer in security and messaging .He is a Microsoft Certified Technology Specialist with high level of expertise in handling server side operations based on windows platform. An experienced IT Technical Trainer with over 20 years’ Technical Training experience you can contact him at mukul@ignitetechnologies.in