Image hard drives for e-discovery or backup with PING

photo_1956_20060918.jpg

PING (Partimage is Not Ghost) is a Linux-based LiveCD for backing up your system by making an image of the hard drive (or smaller partitions, if you have them). In other words, you boot a simplified version of Linux (it doesn’t matter what operating system you normally use on the computer–just pop the CD in the drive and turn the computer on) from the CD drive. It allows you to make an exact copy of any drive or partition on the computer without booting up the operating system on the computer (which can alter the data). It just copies everything to a file that you can store anywhere and that should adequately preserve electronic evidence on a small scale.

Most importantly, it is easy enough to use that you should be able to burn a copy to CD and send it home with your client (with an external hard drive for the image file) so that they can make the hard drive image themselves, which keeps you out of the chain of evidence. (Don’t make this decision without carefully considering the issues and the disadvantages of doing it yourself.)

PING is also a fantastic backup tool. Unlike a regular backup, PING makes a copy of the drive. If you just back up your files and your computer dies, you have to re-install Windows, update it, install all your software, and then restore your files once you are back up and running. With PING, just restore the image to the new hard drive, re-activate Windows, and go. You’ll save hours (or days) of recovery time.

[photo: Chance Agrella]

Subscribe

Get Lawyerist in Your Inbox, Daily

Current Articles
Current Lab Discussions
  • Michael Trittipo

    You wrote:
    “It allows you to make an exact copy of any drive or partition” and that it “copies everything to a file . . . that should adequately preserve electronic evidence on a small scale.”

    Maybe the words “adequately” and “on a small scale” are meant to cover what I’m going to write next, Sam; but the words “exact” and “everyting” aren’t quite right, I believe. Unless I’m wrong, partimage (the program referenced in PING’s acronymic name) doesn’t copy _everything_. It copies only what’s being currently _used_ and considered “live.” That’s fine for backup. But I question whether it’s good enough for evidence preservation. Some would say that evidence preservation requires preserving unallocated and slack space, swap, etc. Those are one reason to use “dd” instead of “partimage”: “dd” copies all that, too. I grant you that “dd” is not something any lawyer would ever want to try to tell a client how to use. :-)

  • Sam Glover

    I hope I made clear that this is not a forensic tool: “Don’t make this decision without carefully considering the issues and the disadvantages of doing it yourself.” As far as I know, PING does not make a bit-for-bit copy of the drive or partition.

    Attorneys have to use their own judgment as to when a tool like PING or TrueImage is a viable alternative to doing nothing at all, if the client cannot afford to pay for forensic preservation, or when PING might be sufficient in any case.

  • johhnycockran

    “so that they can make the hard drive image themselves, which keeps you out of the chain of evidence”

    would you be considered an accessory then since you provided them the tools? sneaky slimeball lawyers lol