±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35868
New Yesterday: 0 Visitors: 151

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Imaging an unknown server

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

craig
Member
 

Imaging an unknown server

Post Posted: Aug 13, 10 15:19

A client has asked for us to image an unknown server.

The first question was a live extraction of this server. It is still unknown if we can shut this server down. Unfortunately we found about this case yesterday and we will be starting tomorrow (Yay! Weekend job! Rolling Eyes ), so we cannot (we would if we could) get F-Response to try and use.

So scenario A :

Live server ( 30% chance this will happen)- First thoughts, external USB hard drive with FTK Imager Lite- and Run. (Documented throughout of course)

Scenario B:

Server shut down (70% chance it will be off) - Now, this is were i am having difficulties. We might be able to, bootup the server, admin password, then Scenario A. But this is not as forensically sound.

I have read about WinFE, as RAID drivers will probably be needed. But I have read mixed reports of how forensically sound it is, and I will have no time to try it out and document what is going to effect.

Also, Helix?


As you can tell forensically imaging servers I am new too. So any insight would be greatly appreciated.


Craig  
 
  

fresponse_s
Senior Member
 

Re: Imaging an unknown server

Post Posted: Aug 13, 10 17:00

If you are going to have Internet access on the server we can setup a temporary license server for you.

Let me know if you are interested and we'll set it up for some time to test out the connection/process today (no charge) to make sure it will work.

Thanks!
_________________
M Shannon, CIFI, CISSP
Founder

F-Response – Extend Your Arsenal

Interested in a low cost remote forensics and eDiscovery solution that is completely vendor neutral?
www.f-response.com 
 
  

keydet89
Senior Member
 

Re: Imaging an unknown server

Post Posted: Aug 13, 10 17:31

- craig
...so we cannot (we would if we could) get F-Response to try and use.


Why not? Matt's one of the most responsive guy...if not THE most responsive guy...I've ever seen or met in this arena.

Somehow I get the impression that rather than assume that all the comments in this forum about Matt's responsiveness are correct, someone chose to assume (rather than ask) that they couldn't get something...

- craig
So scenario A :

Live server ( 30% chance this will happen)- First thoughts, external USB hard drive with FTK Imager Lite- and Run. (Documented throughout of course)


If the server is "unknown", how do you know this will work? What if it's FreeBSD or Ubuntu? Or what if it doesn't have any USB connections (or a USB 1.0 connection) or a CD drive? All of these have happened to me.

- craig

Scenario B:

Server shut down (70% chance it will be off) - Now, this is were i am having difficulties. We might be able to, bootup the server, admin password, then Scenario A. But this is not as forensically sound.

I have read about WinFE, as RAID drivers will probably be needed. But I have read mixed reports of how forensically sound it is, and I will have no time to try it out and document what is going to effect.

Also, Helix?


What is "forensically sound"?

- craig

As you can tell forensically imaging servers I am new too. So any insight would be greatly appreciated.


My recommendation is...don't do it. There seem to be a great deal of unknowns, and something that probably should not be committed to...  
 
  

craig
Member
 

Re: Imaging an unknown server

Post Posted: Aug 13, 10 18:01

Thanks for the replies.

Fresponse_s, thanks for the offer, but again don't know if we are going to have internet access, but I will keep you posted!

One of the forensic guys is going over in 1 hour to find as much as he can in regards to the server. However, the people that we are doing this for don't know themselves (not their server/pcs).

Keydet89 - very good recommendation, it has already been mentioned more than once in the office. And I hope it has USB/CD drives!!!

The next post will hopefully contain server information Smile .


Craig  
 
  

fresponse_s
Senior Member
 

Re: Imaging an unknown server

Post Posted: Aug 13, 10 18:15

Certainly Craig, that's fine. If we can be of further assistance please don't hesitate to ask. If your guy on site has access to the server and would like to test and see if the Internet access is sufficient to use F-Response send us an email and we'll get the process setup. (support _at_ f-response.com).

Thanks Harlan, we try.

Warmest Regards,
_________________
M Shannon, CIFI, CISSP
Founder

F-Response – Extend Your Arsenal

Interested in a low cost remote forensics and eDiscovery solution that is completely vendor neutral?
www.f-response.com 
 
  

craig
Member
 

Re: Imaging an unknown server

Post Posted: Aug 15, 10 03:17

Apologies for the lateness of my post fresponse_s, but only found out about the ‘server’ when I went on site this morning.

The high priority server was just a plain old PC with two hard drives, and it did not work, ended up imaging workstations instead!

So what did I learn from this; that some people don’t know what a server is, that F-Response are fast at responding (and I hope to use your product in the future with an actual server) , and unknowns are not fun.


Craig  
 
  

douglasbrush
Senior Member
 

Re: Imaging an unknown server

Post Posted: Aug 16, 10 19:10

You can use F-Response with just about any system. I have used it on PC's, workstations, servers. The great thing is that it is flexible on the hardware platform so it is always my go to in unknown configurations. VERY helpful on high-end workstation RAIDs.

And yes, Matt is the nicest guy in the industry and offers some of the best support.  
 

Page 1 of 1