Notifications
Clear all

NAS Acquisition

19 Posts
7 Users
0 Likes
1,738 Views
(@jmt605)
Posts: 15
Active Member
Topic starter
 

I have an external Toshiba 2TB NAS drive that I am trying to preview/acquire in Encase 6. I do not want to tear the drive apart for fear of damaging the interior of the drive. Does anyone have any advice on how I could preview and if need be image the device in a forensically sound manner?

 
Posted : 24/10/2013 9:41 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

Why do you think you will damage the device?

What is a "NAS"?
Is it not (at an abstract level)

  • drive(s) –> controller(s) –> processor(s) –> NIC –> you?

Where would it be the most forensically sound place to image the device in the above chain?
What are the technical necessities to get to that part?
Have you considered the worse (and plausible) case scenario of such acquisition?

What is the cost-to-benefit (or effort-to-soundness) ratio of such acquisition?

 
Posted : 24/10/2013 10:21 pm
(@jmt605)
Posts: 15
Active Member
Topic starter
 

Why do you think you will damage the device?

What is a "NAS"?
Is it not (at an abstract level)

  • drive(s) –> controller(s) –> processor(s) –> NIC –> you?

Where would it be the most forensically sound place to image the device in the above chain?
What are the technical necessities to get to that part?
Have you considered the worse (and plausible) case scenario of such acquisition?

What is the cost-to-benefit (or effort-to-soundness) ratio of such acquisition?

Sorry, A NAS meaning a Network Attached Storage device. I am unsure if removing any of the internal hardware would damage the interface card or the drive itself. The drive will be returned to the owner and I am trying to avoid giving it back with scratches, dings, and cracks in it. It is definitely the best place to image at the drive or device level it is getting to that level physically that is kicking my b**t right now. I know there is a way to use Encase Linen and a crossover cable to acquire but not having ever done that I am quite intimidated by that right now. As we speak there are many other cases laying in wait that need my attention as well so the cost to benefit ratio would be that I am falling behind on this case and others plus there is other devices is associated with this case that may actually have what it is I am looking for.

Wow I think you just made me answer my own question. That is a sign of a good teacher from what I know.

Thanks

 
Posted : 24/10/2013 10:56 pm
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

I don't think you can use Linen as you can't "boot" a NAS device, which from memory is how you use Linen and EnCase.

I've seen some of these NAS devices and the only interface is an ethernet port, is that the case here?

Presumably you could attach it to a forensic machine, then use F-Response covert edition to push an applet to the NAS which would allow you to image the drive. I'm not really sure if that would work and it's not the soundest approach because you can't write block the NAS otherwise you can't push the F-Response client /

What is the specific make and model of the NAS? Maybe there is a good tear down manual somewhere so you can get the drive out safely.

 
Posted : 25/10/2013 7:39 am
Passmark
(@passmark)
Posts: 376
Reputable Member
 

If it unscrews easily then take it apart and have a look inside.
Some of these NAS devices have trays / slots inside for standard SATA drives.

If this is not an option then the next best would be look at other I/O ports.
e.g. USB, eSATA, Firewire, Thunderbolt

If you can't easily open it, and there are no other interfaces and you don't have all day and you need to return it in one piece, then just get what you can via the network interface. Getting all the files is easy, getting a low level image of the drive (with slack space, etc…) might be harder.

If you do have the time and didn't need to return it in one piece, then cut it open.

 
Posted : 25/10/2013 10:43 am
(@jmt605)
Posts: 15
Active Member
Topic starter
 

The exact model is a Toshiba 2TB Canvio Personal Cloud Hard Drive, 1000BASE-T/100BASE-TX/10BASE-T, 1Gb/s Data Transfer Rate.

I need to give it back in one piece so breaking out the cutting torches and hammer and chisel is not an option. I looked for a breakdown video or manual and did not find anything. I have taken similar ones apart before and always ended up snapping a tab off somewhere and the end result upon reassembly would never be acceptable to me. In those cases it never really mattered as the drive would most likely never be returned due to the type of case but this one will be going back and if it were mine and I got it back with dings, scratches…etc. I wouldn't be too happy.

Also there appears to be no other ports just a USB and a Ethernet port.

 
Posted : 25/10/2013 5:20 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

There are many kinds of NAS.
Most run a (usually Linux based) OS, and settings (limited) are accessed through a Web interface.
Some of these may be rootable and or may accept a telnet connection.
But IF there is this telnet possibility AND IF it is not already set "open" in the settings, the mere act of changing this setting may be seen as a "write" to disk (where configurations are saved on some devices - while other may have some storage in the form of a flash based device).
To go the "safe" way you should open the unit, remove the disks and image them "directly".
Also, you don' t specify if the device at hand is using one or more disks and if it is set as RAID, JBOD or what.

Maybe if you provide the EXACT model of the device, you could get some more "targeted" reply/advice.

jaclaz

 
Posted : 25/10/2013 5:28 pm
(@belkasoft)
Posts: 169
Estimable Member
 

With most NAS systems, you will not get access to unallocated space (and won't be able to recover deleted evidence) unless you take it apart, get the hard drives(s) out, and connect them to a PC via SATA. However, some NAS systems offer the ability to connect via SATA and/or USB, in which case you may still be able to analyze the content without taking it apart.

 
Posted : 28/10/2013 2:18 pm
(@unicron)
Posts: 36
Eminent Member
 

Looking at the links you provided, I would say that you're not going get a 'forensically sound' acquisition of the unit unless you are willing to crack it open and remove the disk(s) contained inside, as others have suggested.

Take a step back for a moment - what are you trying to achieve? Data recovery? Criminal Investigation? Are you after everything (including unallocated space), or just certain files/folders?

Have you read the manual? http//www.toshibastorage.com/personalcloud/docs/STOR_E_CLOUD_UM_EN_1112.pdf

That may well answer some of your questions…

 
Posted : 28/10/2013 3:52 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Only to confirm the issues with disassembling the thingy without damaging the case cry
It is another model but I believe that the general manufacture/approach is the same or similar.
http//www.gearhack.com/myink/ViewPage.php?file=docs/Toshiba%20Canvio%20Desktop%20External%20Hard%20Drive%20Disassembly

( cheap pieces of plastic cobbled together, though the "flat screwdriver" might not be the best tool for attempting doing that, while a phone plastic opener tool might do better)
here is a somewhat better approach (still another model)
http//goughlui.com/?p=4688

and to confirm that it runs a Linux (Scratchbox/Debian)
http//www.toshibastorage.com/personalcloud/
http//www.toshibastorage.com/personalcloud/docs/How_to_Utilize.pdf

jaclaz

 
Posted : 28/10/2013 4:51 pm
Page 1 / 2
Share: