4n6pi

4n6pi is a forensic imager for disks, designed to run on a Raspberry Pi powered by libewf. It provides a simple and portable solution for creating disk images in forensic investigations.

Features

• Easy setup using a configuration stick
• Automated imaging process
• Visual status indication via Raspberry Pi’s ACT LED / optional LCD display
• Automatic VPN connection through wireguard, just drop the wg0.conf onto the config stick
• LAN connection via Ethernet or Wifi
• Console access via UART
• @geerlingguy ‘s modified version of rpi-clone for cloning to PCIe connected SSD
• Acquire modes:
• Disk Mode (creating .E01 image on external hard disk)
• S3 Mode (creating .E01 image on internal SSD/SDcard and pushing to S3 bucket)
• NFS Mode (creating .E01 image directly on NFS share)

Requirements

• Raspberry Pi 5
• USB storage device for configuration file
• Power supply for Raspberry Pi
• (Recommended for S3 mode) PCIe SSD Base / HAT
• (Recommended for Disk Mode; providing dedicated USB power) USB 3.2 Gen1 HUB HAT from Waveshare

Setup and Usage

1. Create a configuration stick:
   - Download and run create-configstick.sh from this repository
   - Modify Imager_config.yaml as needed

2. Burn the image to an SD card:
   - Due to GitHub’s file-size limit of 2GB, you can download it from my Proton Drive.
   4n6pi-5-v1.img \
   SHA256 Checksum : 3c998d668368b377e71e52a0f684ee87187992f534cba50d705e20bf2044b0e0 4n6pi-5-v1.img
   - Use Raspberry Pi Imager to set hostname and console password (default hostname: 4n6pi / username: pi , password: 4n6pi)

3. Prepare the Raspberry Pi:
   - Insert the configuration USB stick into a USB2.0 port
   - Power on the Pi and wait for the green ACT LED to turn off

4. Connect the target disk:
   - Connect the target disk to the top USB3.0 port
   - For Disk Mode, use bottom USB3.0 for destination disk
   - When using Waveshare USB HAT, refer to the image below:

5. Start imaging:
   - Process starts automatically
   - ACT LED blinks during imaging

6. Monitor progress:
   - Wait for ACT LED to stop blinking

Status Indicators

• Solid green ACT LED: System booting
• LED off: System ready or imaging complete
• Blinking green ACT LED: Imaging in progress

LCD display (if connected) will show current state.

Troubleshooting

If issues occur:
- Check all connections
- Verify configuration stick creation
- Login via ssh (ssh-key needed) or via console to check system logs at /var/log/acquire.log and /var/log/handler.log

Contributing

Contributions welcome! Submit pull requests or open issues for improvements or bug reports.

Acknowledgements

Thanks to all contributors, especially:
- @andrewkempster for testing and verifying forensic soundness
- Nufi for valuable ideas and suggestions

Disclaimer and License

4n6pi is provided as-is, without any warranty. Its methodology has been vetted by forensic experts to be forensically sound, but always verify the integrity of your images using appropriate forensic tools and procedures.

4n6pi is free software, distributed under the GNU General Public License v3 or later. You can redistribute and/or modify it under the terms of this license. While I hope it’s useful, it comes with no warranty or guarantee of fitness for any purpose. For full license details, see https://www.gnu.org/licenses/.

Support the Project

If you find this project useful, consider buying me a coffee. Thank you!