Join Us!

Imaging across a ne...
 
Notifications
Clear all

Imaging across a network  

Page 1 / 2
  RSS
Andy
 Andy
(@andy)
Active Member

Hi all, I wanted to start a discussion off relating 'imaging', and the use of EnCase. Does anyone image to a server across a network? and If so what tools do you use?

In the labs where I work, we image directly to a 3 terabyte network file server (Win2000), on a gigabit network. Its quite fast, almost as fast as imaging locally. We also investigate the acquired image across the network without any noticable lag. And because we use EnCase evidence files we do not consider integrity of the image to be an issue (no requirement to use a wiped hard drive to store it, etc).

Has anyone done the same using Linux or open source software, and if so what are your expereinces, techniques and methodologies?

Forgive me Jamie if I posted in the wrong part of the forum, I though it appropriate for it to go here 🙂

Andy

Quote
Posted : 21/08/2004 10:46 am
Jamie
(@jamie)
Community Legend

I though it appropriate for it to go here

Oh, absolutely. I'm looking forward to hearing from some of our members with "real world" experience of open source forensics. To the best of your knowledge, Andy, are any UK police forces using open source solutions (instead of e.g. EnCase)? No need to mention any names.

Jamie

ReplyQuote
Posted : 21/08/2004 12:59 pm
Andy
 Andy
(@andy)
Active Member

On the pro side of open source stuff, it has one major advantage – it’s free, but what’s that saying “Linux is free only if your time is worthless”. Linux open source tools do take time to learn and get to grips with, especially if you come from a Windows background.

Let’s not forget about the granddaddy of forensic tools – Norton disk edit. Does anyone still use it?

ReplyQuote
Posted : 21/08/2004 2:31 pm
hitechpi
(@hitechpi)
New Member

Open source computer forensics………hmmmm. If you use it on a civil or criminal case will you be able to go to court, or survive a depostion? Even "in house" investigations can go to hearing or the court room. FREE open source forensics tools may not pass muster when there are professional grade, court qualified computer forensics tools that have already survived the court process, and are accepted.

ReplyQuote
Posted : 24/08/2004 2:50 am
Jamie
(@jamie)
Community Legend

I have heard the use of the commercial tools as ‘point & click’ forensics, said in a scornful manner, but at the end of the day if it works and halves your time, then it must be cost effective, and over the course of a few months the amount of work you can accomplish with a commercial product will pay for itself.

Yes, agreed. I've heard the same disparaging remarks about "point & click" forensics. Where I do think criticism is valid is when (perhaps inevitably?) the use of commercial packages leads to the rise of a certain type of investigator who is proficient at going through the motions with little understanding of what's going on "behind the scenes". That's not a criticism of the software itself, of course, more a reflection of certain organisations' priorities, and in practice probably makes little difference most of the time. There are times, though, when a deeper understanding of what's really going on is the only way to progress in an investigation and I sometimes worry that that depth of knowledge is undervalued in certain types of organisations.

That said, I'm still in full agreement that the efficiency gains offered by commercial packages (not to mention their accepted status in the courts) provide a compelling case for their use.

Cheers,

Jamie

ReplyQuote
Posted : 24/08/2004 6:39 pm
Jamie
(@jamie)
Community Legend

And before I forget, hitechpi…welcome to Forensic Focus!

Jamie

ReplyQuote
Posted : 24/08/2004 6:42 pm
tusk
 tusk
(@tusk)
New Member

Open source computer forensics………hmmmm. If you use it on a civil or criminal case will you be able to go to court, or survive a depostion? Even "in house" investigations can go to hearing or the court room. FREE open source forensics tools may not pass muster when there are professional grade, court qualified computer forensics tools that have already survived the court process, and are accepted.

I think this is simplistic way to look at this software and reflects a generalised fear of OSS that is prevalent among some software consumers. Any tool may not pass muster when put to the test. Indeed, I have rejected many tools both open and closed source because they do not behave in a fashion consistent with a forensic investigation.

We must clearly differentiate between free as in beer software be it freeware, shareware or Beta software and free as in thought software which is where the Open source movement resides with licences such as the GPL and BSD.

There are a number of applications where OSS clear dominates the market not on the basis of price. In fact I know of no examples where OSS predominates on the basis of its perceived low price.

In the final analysis, I don't like standing behind a item of software where I do not have access to the source code. Do you think the fact that you cannot vouch for the correct operation or have a full understanding of the logic behind operations provided by commercial organisations hampers you in investigations?

ReplyQuote
Posted : 14/09/2004 3:10 pm
Vigilante
(@vigilante)
New Member

I have to highly disagree with the illusion that open source tools may not pass muster in a hearing or court room. If you have ever testified in court (federal or other) regarding a computer criminal investigation, a defense attorney is going to pretty much question the use of ANY tool that you use and your training (and lack of forensic certification). Saying simply that you bought something off the shelf and alot of other people use it and it has been tested in court, therefore it's good…. is a fallacy.

I have rarely used a single COTS forensic tool to throw someone in jail. In fact, most of the tools that I use are freeware or "open source." dd, dcfldd, Task, Autopsy, AIR, MD5-SHA1, chkrootkit, pstools from Sysinternals and even iLook is free (although not open source). I've used programs that even I've written and have never been tested anywhere (and I'm a programming idiot). Many federal agencies, including the FBI use open source tools in their forensic examinations.

Very often forensics is simply the art of discovering new ways to uncover the facts and find out what happened, and often your not finding out the who's but the what's. Patch work forensics has a long history in the criminal justice system. For example, using superglue to lift prints, or pasting together a torn floppy disk. None of this was documented before it was first attempted.

The key to passing muster in court or any administrative or judical hearing concerning forensics is articulation and your knowledge of the tools you are using. At some point you are going to get slammed in court about something you did simply because the other attorney is doing everything they can to make you look like an a*s. If you can't articulate what you have done and what the tool is doing then you are in trouble. We already are in the hole right off the bat, especially after they get to the part about you not being licensed or regulated by the government to conduct computer forensics. You might as well know the tools you are using and practice articulating them to yourself before you even get there.

The bottom line is forensics is about extracting evidence and uncovering the hidden. No matter what gets argued in court, or how they slam your training, lack of regulation or government certification, tools, shoe size, IQ, or how out of shape I'm getting cause I'm eating too many carbs….the pictures of child pornography didn't will themselves onto the box and your tools didn't put them there. End rant….thank you for your support.

ReplyQuote
Posted : 16/09/2004 4:27 pm
Vigilante
(@vigilante)
New Member

Now, in answer to Andy's original question (;-), has anyone imaged across a network. Yes…I think that is one of the coolest parts of forensics in fact. EnCase Enterprise edition does a good job of doing that if you want to shell out the dough. For law enforcement they have (or had) a field forensic module that did something similar but it was more limited. A co-worker and I generated an image of a couple linux forensic CD's and shipped them to someone with physical access to the system. They booted the subject system (a windows laptop) with the CD, gave it an IP, and at that point we MD5'd the image and used dd through netcat for the transport. We pumped the chunks into EnCase and it worked like a charm.

ReplyQuote
Posted : 16/09/2004 5:02 pm
Jamie
(@jamie)
Community Legend

Vigilante,

Welcome to Forensic Focus!

I'm very interested in the various opinions surrounding the use of open source (or even ad-hoc) solutions in the courtroom and welcome further comments from those with experience in this area.

Jamie

ReplyQuote
Posted : 16/09/2004 7:07 pm
Chris
(@chris)
New Member

Hi All

I have not personally imaged over a network but I have seen this done using EnCase Enterprise. As mentioned it is particularly expensive but I would say well worth the money for a big organisation. To be able to do it though a servlet must be placed on the PC that is to be imaged. Guidance swear that this servlet will stand up in court as not interfering with evidence just enabling remote imaging to take place. In a large organisation these servlets could be made part of the standard build making any PC immediately available to review and/or image.

Using enterprise over a network also enables you to review the RAM of a PC during an attack, something not possible when imaging a "dead" PC.

ReplyQuote
Posted : 06/10/2004 1:34 pm
hogfly
(@hogfly)
Active Member

Being a huge proponent of Open Source tools (until I get my commercial tool set together that is..) The easiest way to image a disk across a network using opensource tools is using dd/sdd/dcfldd and netcat or cryptcat. No it's not fast but it works and it's free!

A quick method is to do this.
On the machine you want to create the image on, start a netcat listener and pipe it to a file as follows:

nc -l -p | dd of=/path/to/file
so: nc -l -p 10000 | dd of=/fevidence/case001.img

On the evidence machine, you would have to run something like this(from a clean media source):
dd if=/dev/hda | nc 1.2.3.4 10000

For those that question the accuracy of programs like dd, the NIJ released this report early this year: http://www.ncjrs.org/pdffiles1/nij/203095.pdf

A few Excellent tools are:

Helix: http://e-fense.com/helix/ –SANS is apparently using this in their GCFA courses now, and it was created by e-fense which does forensics work. I've been using it for a little while now, and it's awesome! It even has a windows Incident response capability that will do the dd | nc commands I outlined above.

F.I.R.E http://fire.dmzs.com/ –Great set of tools. Includes chntpw(NT offline reghack) and a cmos password cracker.

ReplyQuote
Posted : 07/10/2004 2:28 am
Jamie
(@jamie)
Community Legend

I've been using Helix recently too, nice collection of tools.

Jamie

ReplyQuote
Posted : 07/10/2004 5:44 pm
darmstadtj
(@darmstadtj)
New Member

http://sourceforge.net/projects/odessa/

ReplyQuote
Posted : 08/10/2004 12:05 am
Jamie
(@jamie)
Community Legend

I'd forgotten aboth the Odessa project, is it still alive?

(Welcome to Forensic Focus BTW)

Jamie

ReplyQuote
Posted : 08/10/2004 12:33 am
Page 1 / 2
Share: