Where to save the i...
 
Notifications
Clear all

Where to save the image of disk and of ram in live forensics

9 Posts
4 Users
0 Likes
257 Views
(@bsg819)
Posts: 19
Active Member
Topic starter
 

Hi,
While performing a live forensics what is the ideal place to save the image of the hard disc created ??
Also where the data recovered from the ram or its image to be saved ???

the live forensics is being performed from a pendrive or cd ….

a guide in live forensics will b really appreciated )

 
Posted : 18/12/2012 1:48 pm
(@belkasoft)
Posts: 169
Estimable Member
 

You'll have to save the image of the device (be it a hard drive or a live RAM image) on your own media; otherwise, you will be inevitably altering the content of the computer you are acquiring. A hot-pluggable external device (e.g. USB enclosure) usually works best for such purposes.

 
Posted : 18/12/2012 2:58 pm
(@bsg819)
Posts: 19
Active Member
Topic starter
 

ya …but carrying a external hdd whose of 1 tb or if the hdd is above that ? and is it ok to plug in external device during a live forensics coz wnt it alter the victims system ???

 
Posted : 18/12/2012 3:04 pm
(@randomaccess)
Posts: 385
Reputable Member
 

Yes, but if you're trying to get data off a live system you're going to be making changes. You just need to be able to account for them.

So if you plug in a USB hard drive you know that it'll add data to the registry, setupapi etc; but you write that in your notes.

i havent used f-response but that's an alternative for an over the network acquisition. otherwise plugging in some sort of hard drive storage device to store your ram dumps and hdd images if necessary.
even the act of taking a ram dump by its nature alters the state of ram, because the program has to be loaded and could overwrite some important information.

 
Posted : 18/12/2012 4:08 pm
(@bsg819)
Posts: 19
Active Member
Topic starter
 

Also Transferring the image through the network a good idea compared to a usb device ??
What according to you guys is a better option ??

 
Posted : 18/12/2012 4:20 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Also Transferring the image through the network a good idea compared to a usb device ??
What according to you guys is a better option ??

I covered this in "Windows Forensic Analysis 2/e", but I'll summarize it here…

The problem with "best practices" or a "better option" is that too many times, responders are looking for someone to do their thinking for them. What is best for one infrastructure, or even one system in an infrastructure, may not be "best" for another…in fact, it may have a significant detrimental impact on that system.

One thing that responders fail to realize is that any action that they take, even inaction, will have an effect on the system. Sometimes that effect may be nothing more than them leaving their footprints. In the case of inaction, critical processes may complete and their remnants be unrecoverable in relatively short order.

I've imaged a good number of live systems in my time. Sometimes, they're easy to do…plug in a USB external drive with enough space on it, fire up your tools and away you go. Sometimes, this is absolutely necessary…a laptop with an encrypted drive is one example.

I've also seen systems in data centers that have offered challenges. I had to acquire a boot-from-SAN device live; there were 8 SCSI bays in the system for a RAID array, but I knew they were SCSI because the drives were not in the bays…the system was booted from a SAN device via fiber channel. I've encountered systems that had USB 1.0 ports, so we mapped a drive from a system with USB 2.0 that was on the same subnet, and imaged to that drive.

Now, I know that some folks are going to say, "OMG! That's not 'forensically sound'!!" But what is 'forensically sound', particularly when you consider that in every case, there was no other way to acquire the data. You can't get a memory dump from a system that you've already shut down. If the 'customer' tells you that you can't take the system down and remove the drives, or if it's a particularly picky RAID array, or if the 'customer' tells you that you can only acquire the C\ volume…what are your options?

'Forensically sound' and 'best practices' all boil down to one thing…documentation. Did you document what you did to the point where (a) your actions are repeatable, and (b) to the point where any analyst can separate your actions from other artifacts on the system?

So, back to the OP's question…which is the better option? Well, it depends on a great deal. I would not recommend imaging a system that contained PII, PHI, or PCI data (or sensitive data of any kind, regardless of definition) over a publicly accessible network. However, if you're able to image over the network to another system on the same subnet, then fine. Choosing to image over the network because you need to acquire the data *NOW* and you don't have an external drive of the appropriate size is simply something that you document.

I'll say it again…regardless of the option that you choose, one thing that is not a choice is your documentation.

 
Posted : 18/12/2012 5:35 pm
(@bsg819)
Posts: 19
Active Member
Topic starter
 

Thanks a lot …. Really appreciate your answer …
my point here is am an absolutely noob as of now …
So if i perform a live forensics in a linux machine so id rather get an external hdd to save the image …?
Also if a linux machine is on wat according to you would be the best soft to use to acquire the data ???

 
Posted : 18/12/2012 7:47 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Thanks a lot …. Really appreciate your answer …
my point here is am an absolutely noob as of now …

Understood.

So if i perform a live forensics in a linux machine so id rather get an external hdd to save the image …?

Please re-read my earlier response…it is up to you. If the Linux box you're going to acquire data from doesn't have any USB ports, my "yes" answer would kind of be irrelevant, wouldn't it?

If you choose to use an external HDD to capture your image, I would strongly recommend that you document everything you do, to the point where it is repeatable.

Also if a linux machine is on wat according to you would be the best soft to use to acquire the data ???

I'd consider using dd.

 
Posted : 18/12/2012 8:03 pm
(@bsg819)
Posts: 19
Active Member
Topic starter
 

finally understood )
Thanks D D D

 
Posted : 18/12/2012 8:09 pm
Share: