Imaging an unknown ...
 
Notifications
Clear all

Imaging an unknown server

7 Posts
4 Users
0 Likes
369 Views
(@craig)
Posts: 23
Eminent Member
Topic starter
 

A client has asked for us to image an unknown server.

The first question was a live extraction of this server. It is still unknown if we can shut this server down. Unfortunately we found about this case yesterday and we will be starting tomorrow (Yay! Weekend job! roll ), so we cannot (we would if we could) get F-Response to try and use.

So scenario A

Live server ( 30% chance this will happen)- First thoughts, external USB hard drive with FTK Imager Lite- and Run. (Documented throughout of course)

Scenario B

Server shut down (70% chance it will be off) - Now, this is were i am having difficulties. We might be able to, bootup the server, admin password, then Scenario A. But this is not as forensically sound.

I have read about WinFE, as RAID drivers will probably be needed. But I have read mixed reports of how forensically sound it is, and I will have no time to try it out and document what is going to effect.

Also, Helix?

As you can tell forensically imaging servers I am new too. So any insight would be greatly appreciated.

Craig

 
Posted : 13/08/2010 3:19 pm
(@fresponse_s)
Posts: 70
Trusted Member
 

If you are going to have Internet access on the server we can setup a temporary license server for you.

Let me know if you are interested and we'll set it up for some time to test out the connection/process today (no charge) to make sure it will work.

Thanks!

 
Posted : 13/08/2010 5:00 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

…so we cannot (we would if we could) get F-Response to try and use.

Why not? Matt's one of the most responsive guy…if not THE most responsive guy…I've ever seen or met in this arena.

Somehow I get the impression that rather than assume that all the comments in this forum about Matt's responsiveness are correct, someone chose to assume (rather than ask) that they couldn't get something…

So scenario A

Live server ( 30% chance this will happen)- First thoughts, external USB hard drive with FTK Imager Lite- and Run. (Documented throughout of course)

If the server is "unknown", how do you know this will work? What if it's FreeBSD or Ubuntu? Or what if it doesn't have any USB connections (or a USB 1.0 connection) or a CD drive? All of these have happened to me.

Scenario B

Server shut down (70% chance it will be off) - Now, this is were i am having difficulties. We might be able to, bootup the server, admin password, then Scenario A. But this is not as forensically sound.

I have read about WinFE, as RAID drivers will probably be needed. But I have read mixed reports of how forensically sound it is, and I will have no time to try it out and document what is going to effect.

Also, Helix?

What is "forensically sound"?

As you can tell forensically imaging servers I am new too. So any insight would be greatly appreciated.

My recommendation is…don't do it. There seem to be a great deal of unknowns, and something that probably should not be committed to…

 
Posted : 13/08/2010 5:31 pm
(@craig)
Posts: 23
Eminent Member
Topic starter
 

Thanks for the replies.

Fresponse_s, thanks for the offer, but again don't know if we are going to have internet access, but I will keep you posted!

One of the forensic guys is going over in 1 hour to find as much as he can in regards to the server. However, the people that we are doing this for don't know themselves (not their server/pcs).

Keydet89 - very good recommendation, it has already been mentioned more than once in the office. And I hope it has USB/CD drives!!!

The next post will hopefully contain server information ) .

Craig

 
Posted : 13/08/2010 6:01 pm
(@fresponse_s)
Posts: 70
Trusted Member
 

Certainly Craig, that's fine. If we can be of further assistance please don't hesitate to ask. If your guy on site has access to the server and would like to test and see if the Internet access is sufficient to use F-Response send us an email and we'll get the process setup. (support _at_ f-response.com).

Thanks Harlan, we try.

Warmest Regards,

 
Posted : 13/08/2010 6:15 pm
(@craig)
Posts: 23
Eminent Member
Topic starter
 

Apologies for the lateness of my post fresponse_s, but only found out about the ‘server’ when I went on site this morning.

The high priority server was just a plain old PC with two hard drives, and it did not work, ended up imaging workstations instead!

So what did I learn from this; that some people don’t know what a server is, that F-Response are fast at responding (and I hope to use your product in the future with an actual server) , and unknowns are not fun.

Craig

 
Posted : 15/08/2010 3:17 am
(@douglasbrush)
Posts: 812
Prominent Member
 

You can use F-Response with just about any system. I have used it on PC's, workstations, servers. The great thing is that it is flexible on the hardware platform so it is always my go to in unknown configurations. VERY helpful on high-end workstation RAIDs.

And yes, Matt is the nicest guy in the industry and offers some of the best support.

 
Posted : 16/08/2010 7:10 pm
Share: