±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 17
Overall: 27344
Visitors: 56

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

NAS Acquisition

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2, 3  Next 
  

NAS Acquisition

Post Posted: Thu Oct 24, 2013 10:41 am

I have an external Toshiba 2TB NAS drive that I am trying to preview/acquire in Encase 6. I do not want to tear the drive apart for fear of damaging the interior of the drive. Does anyone have any advice on how I could preview and if need be image the device in a forensically sound manner?  

JMT605
Member
 
 
  

Re: NAS Acquisition

Post Posted: Thu Oct 24, 2013 11:21 am

Why do you think you will damage the device?

What is a "NAS"?
Is it not (at an abstract level)
  • drive(s) --> controller(s) --> processor(s) --> NIC --> you?
Where would it be the most forensically sound place to image the device in the above chain?
What are the technical necessities to get to that part?
Have you considered the worse (and plausible) case scenario of such acquisition?

What is the cost-to-benefit (or effort-to-soundness) ratio of such acquisition?  

jhup
Senior Member
 
 
  

Re: NAS Acquisition

Post Posted: Thu Oct 24, 2013 11:56 am

- jhup
Why do you think you will damage the device?

What is a "NAS"?
Is it not (at an abstract level)
  • drive(s) --> controller(s) --> processor(s) --> NIC --> you?
Where would it be the most forensically sound place to image the device in the above chain?
What are the technical necessities to get to that part?
Have you considered the worse (and plausible) case scenario of such acquisition?

What is the cost-to-benefit (or effort-to-soundness) ratio of such acquisition?



Sorry, A NAS meaning a Network Attached Storage device. I am unsure if removing any of the internal hardware would damage the interface card or the drive itself. The drive will be returned to the owner and I am trying to avoid giving it back with scratches, dings, and cracks in it. It is definitely the best place to image at the drive or device level it is getting to that level physically that is kicking my butt right now. I know there is a way to use Encase Linen and a crossover cable to acquire but not having ever done that I am quite intimidated by that right now. As we speak there are many other cases laying in wait that need my attention as well so the cost to benefit ratio would be that I am falling behind on this case and others plus there is other devices is associated with this case that may actually have what it is I am looking for.

Wow I think you just made me answer my own question. That is a sign of a good teacher from what I know.


Thanks  

JMT605
Member
 
 
  

Re: NAS Acquisition

Post Posted: Thu Oct 24, 2013 8:39 pm

I don't think you can use Linen as you can't "boot" a NAS device, which from memory is how you use Linen and EnCase.

I've seen some of these NAS devices and the only interface is an ethernet port, is that the case here?

Presumably you could attach it to a forensic machine, then use F-Response covert edition to push an applet to the NAS which would allow you to image the drive. I'm not really sure if that would work and it's not the soundest approach because you can't write block the NAS otherwise you can't push the F-Response client :/

What is the specific make and model of the NAS? Maybe there is a good tear down manual somewhere so you can get the drive out safely.  

Adam10541
Senior Member
 
 
  

Re: NAS Acquisition

Post Posted: Thu Oct 24, 2013 11:43 pm

If it unscrews easily then take it apart and have a look inside.
Some of these NAS devices have trays / slots inside for standard SATA drives.

If this is not an option then the next best would be look at other I/O ports.
e.g. USB, eSATA, Firewire, Thunderbolt

If you can't easily open it, and there are no other interfaces and you don't have all day and you need to return it in one piece, then just get what you can via the network interface. Getting all the files is easy, getting a low level image of the drive (with slack space, etc...) might be harder.

If you do have the time and didn't need to return it in one piece, then cut it open.  

Passmark
Senior Member
 
 
  

Re: NAS Acquisition

Post Posted: Fri Oct 25, 2013 6:20 am

The exact model is a Toshiba 2TB Canvio Personal Cloud Hard Drive, 1000BASE-T/100BASE-TX/10BASE-T, 1Gb/s Data Transfer Rate.

[img]http://www.adorama.com/TONB120XKEG.html?gclid=CKGv__j6sboCFQLl7AodUgsAFA[/img]

I need to give it back in one piece so breaking out the cutting torches and hammer and chisel is not an option. I looked for a breakdown video or manual and did not find anything. I have taken similar ones apart before and always ended up snapping a tab off somewhere and the end result upon reassembly would never be acceptable to me. In those cases it never really mattered as the drive would most likely never be returned due to the type of case but this one will be going back and if it were mine and I got it back with dings, scratches...etc. I wouldn't be too happy.

Also there appears to be no other ports just a USB and a Ethernet port.  

JMT605
Member
 
 
  

Re: NAS Acquisition

Post Posted: Fri Oct 25, 2013 6:28 am

There are many kinds of NAS.
Most run a (usually Linux based) OS, and settings (limited) are accessed through a Web interface.
Some of these may be rootable and or may accept a telnet connection.
But IF there is this telnet possibility AND IF it is not already set "open" in the settings, the mere act of changing this setting may be seen as a "write" to disk (where configurations are saved on some devices - while other may have some storage in the form of a flash based device).
To go the "safe" way you should open the unit, remove the disks and image them "directly".
Also, you don' t specify if the device at hand is using one or more disks and if it is set as RAID, JBOD or what.

Maybe if you provide the EXACT model of the device, you could get some more "targeted" reply/advice.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 3
Go to page 1, 2, 3  Next