±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 34200
New Yesterday: 1 Visitors: 119

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Imaging technique using a NAS

Discussion of forensic workstations, write blockers, bridges, adapters, disk duplicators, storage etc. Strictly no advertising of commercial products, please.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2 
  

Re: Imaging technique using a NAS

Post Posted: Fri Apr 13, 2018 8:29 am

I could be missing sovietpecker's first question, but it sounds to me like you might be able to solve the problem by creating a portable network on site. You would only need your NAS, a fast ethernet switch and ethernet cables. Each of your workstations would connect to the switch, and the switch would be connected to the NAS. I agree with mscotgrove - the imaging (writing) speed would be very slow, though.

For your second question, I would definitely recommend transferring those Encase compatible images to a storage server once you get back to your Lab. This would allow you to re-use your NAS every time you needed to image on site. The ideal situation is to have 2 copies of your image - 1 for processing and 1 as a backup copy - and have each one on a separate device.

One option that might work for both on-site imaging and storage is a RAID hard drive enclosure like a Mediasonic PRORAID. It use USB 3 ports rather that ethernet connections. It holds 4 hard drives that could configured in several different RAID arrays. You would just need a USB 3 hub to connect your imaging workstations to the unit. Because of its small size - about the size of a small NAS - it is portable enough to carry on site. But you can also connect a second one to your processing workstation at the lab. If your workstation is networked, then all your devices on the network will see it as an external drive. Again, speed may be an issue, however.  

Tacobreath
Member
 
 
  

Re: Imaging technique using a NAS

Post Posted: Fri Apr 13, 2018 9:14 am

- minime2k9
- thefuf
- minime2k9
This will change a very small amount of data on the disk, not user data but data nonetheless.


This is a dangerous assumption. It is possible that the activation of a software RAID volume will change gigabytes of user data.


In what scenarios are you talking about?


RAID resync.  

thefuf
Senior Member
 
 
  

Re: Imaging technique using a NAS

Post Posted: Mon Apr 16, 2018 4:52 am

- Tacobreath
I could be missing sovietpecker's first question, but it sounds to me like you might be able to solve the problem by creating a portable network on site. You would only need your NAS, a fast ethernet switch and ethernet cables. Each of your workstations would connect to the switch, and the switch would be connected to the NAS. I agree with mscotgrove - the imaging (writing) speed would be very slow, though.

For your second question, I would definitely recommend transferring those Encase compatible images to a storage server once you get back to your Lab. This would allow you to re-use your NAS every time you needed to image on site. The ideal situation is to have 2 copies of your image - 1 for processing and 1 as a backup copy - and have each one on a separate device.

One option that might work for both on-site imaging and storage is a RAID hard drive enclosure like a Mediasonic PRORAID. It use USB 3 ports rather that ethernet connections. It holds 4 hard drives that could configured in several different RAID arrays. You would just need a USB 3 hub to connect your imaging workstations to the unit. Because of its small size - about the size of a small NAS - it is portable enough to carry on site. But you can also connect a second one to your processing workstation at the lab. If your workstation is networked, then all your devices on the network will see it as an external drive. Again, speed may be an issue, however.


Thank you Tacobreath. Great response. So it seems that speed is the major issue. That is noted. I am really interested with the storage of image files. Is it best to copy the image files from the External HD unto a back up server? Also is it advisable to reuse those external HDs to image again? If you get a great number of cases with a large number of imaged systems would you consider tape storage of the image files?  

sovietpecker
Member
 
 
  

Re: Imaging technique using a NAS

Post Posted: Mon Apr 16, 2018 10:42 am

Is it best to copy the image files from the External HD unto a back up server? - sovietpeacker

The prevailing thought is that it is better to backup to several disks (RAID) rather than to a single disk. The redundancy of RAID 5, for example, allows for 1 disk to fail while still preserving all the data. The single disk storage solution allows no room for failure.

Also is it advisable to reuse those external HDs to image again? - sovietpeacker

As long as you have what you believe is a good backup of your data (images, etc.), you should be able to re-use those external HDD. It would be a good idea to forensically wipe those drives before using them again.

If you get a great number of cases with a large number of imaged systems would you consider tape storage of the image files? - sovietpeacker

As for tape drives, I don't have any experience with them (though I'm looking to purchase one for my agency), but it seems like a solid solution for archiving your data once the case is closed. My understanding is they can be slower than hard drives, so I probably wouldn't use them for actively processing cases.

On the topic of hard drives, this article discusses reliability for certain hard drive models: www.backblaze.com/blog...for-2017/. One model has a nearly 30% failure rate. Ouch. I would probably consider a model other than that one.  

Tacobreath
Member
 
 
  

Re: Imaging technique using a NAS

Post Posted: Mon Apr 16, 2018 12:44 pm

Thanks Tacobreath. Very well explained reply.

I am actually thinking of suggesting we get a large server to store case images, as you suggested, a RAID5 setup would be ideal in order to ensure fault tolerance.

Now, would you consider it necessary to perform some sort of verification/validation once the data is copied to the server to ensure the copied image has been copied without any issues?  

sovietpecker
Member
 
 
  

Re: Imaging technique using a NAS

Post Posted: Mon Apr 16, 2018 2:02 pm

That's a good question. Obviously you want to ensure the hash (MD5, SHA1, etc.) value of your image file remains the same when copied to another device. But there are quite a few options for coping over the other files related to your case, such as your forensic reports, notes, etc., that don't require verifying the integrity of the file. One free option we use is TeraCopy. It will give you a list of files it could not copy or move, allowing you to troubleshoot the process. You could spend a little money and get a decent solution for your needs.

A great resource for many of these situations is Josh Moulin's website at www.joshmoulin.com/cat...orensics/. He covers setting up a digital forensics lab environment, among other things.  

Tacobreath
Member
 
 

Page 2 of 2
Go to page Previous  1, 2