Free tool with Windows for Robust File Copy Performance and generating forensic logs

Posted on by

In working with customer engagements across the nation for small and medium sized cases, we have noticed that clients when performing their own self collections often use the standard windows file copy instead of using a more forensically sound method with Robust File Copy (robocopy.exe), that comes free with Windows 7 and was developed by Microsoft employees.

Note that SafeCopy from PinPoint Labs uses the robocopy engine to preserve directory and file name time stamps, and metadata (author, modification date, security and auditing attributes), and improve performance with the multi-threading option, which says something for the tool given that SafeCopy was recently ordered for use in a case by a federal Magistrate.

eForensic Collection (with logging)

This section explains a free self help utility that can help keep a proper chain of custody when clients choose to do a self collection by keeping forensically sound log files.

robocopy.exe /? – shows the help and all available options.  with GUI (similar in features to robocopy, but not based on it)

Quick Tutorial video on YouTube

Simply cut and paste from below into a command prompt window (cmd.exe) which comes with Windows 7.

Perform a complete copy with defensible logs

The example below copies all of the files from the <d drive>, including recursive sub directories, and will list the results into the current director in filecopy.txt.   To enhance performance, the command below kicks off 128 simultaneous copying threads.  The /TEE option shows the output to the console in addition to the logging performed.

robocopy e: . /COPY:DATD /E /V /TS /FP /BYTES  /ETA   /R:1000000 /W:30 /LOG:filecopy.txt /MT:128 /TEE

Take Inventory of Directories

This is helpful for documenting workstations/custodians that belong to data backed up or on a file server.  The output can easily be put into a spreadsheet for making comments and assigning the custodian who was in charge of a particular source of data.

The options below takes a listing from the <d drive> and omit file names being listed, and provide a concise summary of the most important directory (5 levels deep which can be changed).   Output is put into the current directory in directorylist.txt.

robocopy d: . * /NFL /L /S /E /COPY:DAT /LEV:5 /R:1000000 /W:30 /LOG:directorylist.txt

Making an Incremental Backup

As a bonus, you can also use robocopy.exe to create incremental supplementation using the /MAXAGE parameter.

 

Recent Related Posts