We were excited to find out that Forward Discovery, a forensic training and consulting firm, will be offering free CDs with its Raptor imaging software free to all conference attendees! In addition, they’re offering as door prizes five 4GB credit card-style USB drives containing Raptor. These drives can boot every computer except Intel-based Macs, so whoever gets a drive will have an easier time imaging in the field.
We talked more with Forward Discovery senior forensic consultant Ryan Johnson about Raptor and why his company chose to sponsor the conference in this way:
HTCIA: What is the advantage of a Linux imaging tool over one that is Windows-based?
RJ: Linux deals with media differently than most other operating systems. Raptor, which is based on Ubuntu Linux, doesn’t mount file systems unless it is told to do so. Many other operating systems, however, mount and write to everything that they recognize. When using Linux, there is no little Recycling Bin or .DS_Store files that are written to the suspect media.
HTCIA: How easy is Raptor for newer forensic examiners to get to know?
RJ: Very easy. It was designed so that all the necessary functions were presented in a simple user interface. From the Raptor toolbox an examiner can wipe drives, format drives, image drives and conduct basic searches for file types of interest. It gives the examiner the capability to image most devices without having to pull hard drives or bring write blockers, and can image to the most common forensic file types such as E01 and DD.
HTCIA: Does it help corporate incident responders as well as law enforcement examiners?
RJ: While many incident responders (like us) use Raptor for imaging purposes, it isn’t a live imaging tool. It is really meant for imaging “dead boxes”, that is, computers that are currently off, or can be restarted and booted to the Linux environment.
HTCIA: I understand that hardware write-blockers have been the preferred standard for many years. Is write-blocking software gaining more acceptance among forensic professionals and in court? How and why?
RJ: It’s not always necessary or even efficient to pull hard drives. If you do that, 100 hard drives means you’d need 100 write blockers. Or, if you don’t have 100 write blockers, then you have to do the imaging in stages. But if you take 100 Raptor CDs (or USB cards) and you have 100 destination devices, you can image 100 hard drives at the same time.
Of course, it’s not a replacement of a hardware write-blockers, but it is just as effective and more efficient for the situations which demand it.
HTCIA: Is this your first year sponsoring? Why did you choose to sponsor the conference by distributing Raptor?
RJ: We wanted to provide something for everyone to walk away with. While everyone is able to download copies of Raptor for free, this allows them to get a copy without having to burn it to CDs themselves. We’re giving away the most up-to-date version, and we think everyone will find it useful; it’s one of the better Linux-based tools you’ll be able to find for free.
In addition, we are giving away 5 of our Raptor USB drives. These drives are able to boot to the Linux OS much faster than by CD.
Conference attendees also have the option of getting 10% off our 3-day Cellebrite course, or our 5-day multi-tool mobile device forensics class. It’s a great way for those who miss Cellebrite’s lab to still get their training.