EnCase Enterprise edition
For acquiring images of servers without taking them offline, what are the member's recommended court-accepted software for
carrying this out without shelling out Â£60k+ for EnCase Enterprise?
There are a few ways that this can be done. Probably the most accepted way that I know of is to use a known-clean CD-ROM with Netcat and DD. Helix is a good CD with this using DCFLDD (version of DD), and it is free. Plug in a Laptop with a USB/Firewire drive to the network (preferably the same switch or hub) and pipe the DCFLDD being run on the CD-ROM through Netcat to the laptop listening to the netcat pipe and pushing it to the external USB/Firewire drive.
PM me and I will give you the specifics.
Hi Jonathan, I donâ€™t think you need EE to image a server, thatâ€™s not the main function of EE anyway. The Field Intelligence Model (FIM) is 'cheaper', (still runs into the thousands $'s though) and will do the same as EE but with single remote machines.
AccessData's FTK Imager can be installed to a USB thumb drive and plugged in to the server, and can image the live system to a local drive (perhaps a removable/external USB or Firewire drive). Itâ€™s free to download and easy to use.
There will be some interference with the system, as it detects the USB drive being inserted and the program run. But when imaging a live system you will always have integrity issues as you are potentially tampering with live data. As regards to it being court accepted, you are obviously competent to do so, and if you can justify it, and document all you do, (and there is no reasonable alternative) then it can be done. The ACPO guidelines allow for a breach of principle 1, with principles 2 & 3. I would not get too hung up with the guidelines as they are in the process of being revised for just this type of scenario.
It also may depend on what OS is running on the server. It can be done using Linux and netcat, across a network but requires some skill in setting things up.
If EnCase FE (Forensic Edition) is installed on the server, you can image the local drives across a network to a remote machine, but again you are altering the original data. If you are looking for data in the unallocated clusters, then you may be potentially overwriting stuff.
You can also install EnCase onto a thumb drive, and use it in acquisition mode (no need to install dongle drivers on the host machine). Again itâ€™s free to use in this way, and you can image to a connected USB/Firewire drive the same as using FTK Imager. Using either EnCase or FTK Imager on a thumb drive is the way I would do it.
Sorry m7esec, we must have posted at the same time…..I also use Helix, and find it graphical DD tool (Grab) quite good. It makes imaging across a network a lot easier than at the console. But if the server is 'mission critical' and cannot be taken down, then booting to a Linux CD might be defeating the object.
Thanks very much fellas.
Andy; hope the business is going well.
Ahh, good point, since DCFLDD is a Linux tool, and if the server is not Linux, then you would have a problem. You could also use DD.exe and pipe the data over to a network share that was created as well if its NT. I also heard there is a Netcat version for windows as well. I know that with Helix, the seperate tools are available without needing to boot the server using it.
Good idea about putting Encase Acquisition or FTK Imager on a thumb drive and turning the write protection on. I would still probably use a Known-good CD, which doesn't effect the system as much.
ProDiscoverÂ® Investigator. Very powerful and has a lot of neat features. Supports Live Forensic Imaging.
"Image live memory and entire suspect disk, including hidden HPA section"