Single File/Folder ...
 
Notifications
Clear all

Single File/Folder Acquisition not with FTK

laughingman_nicoli
(@laughingman_nicoli)
New Member

1. I'm on site and need to acquire one single file with all its meta data intact that resides on a virtual server in another state via a go-to meeting.

2. In my lab I have full EnCase to view the data later.

3. I have FTK Imager and I understand I can't view ad1's in EnCase. I have a good Robocopy script (though I tried this and it wasn't working I think do to the paths and such).

So, what are the options out there for acquiring single file/folders to view in EnCase?

Quote
Topic starter Posted : 08/04/2014 4:11 am
keydet89
(@keydet89)
Community Legend

1. I'm on site and need to acquire one single file with all its meta data intact that resides on a virtual server in another state via a go-to meeting.

2. In my lab I have full EnCase to view the data later.

3. I have FTK Imager and I understand I can't view ad1's in EnCase. I have a good Robocopy script (though I tried this and it wasn't working I think do to the paths and such).

So, what are the options out there for acquiring single file/folders to view in EnCase?

Not sure why you need EnCase at all. A single file (we're clearly not worried about scalability here…) is easy…you can use 'dir' to acquire the file system time stamps, depending on the OSs involved you may be able to easily query for ADSs, and then copy the file. Document what you do.

What else is necessary?

ReplyQuote
Posted : 08/04/2014 4:41 am
laughingman_nicoli
(@laughingman_nicoli)
New Member

I think one of the big problems and why I would like to be able to view things in EnCase is that prior to my hiring at this firm (civil litigation) someone got it into everyone's head that you need to get reports from Forensic Software platforms (ie EnCase, FTK, Nuix, etc.) for it to be redeemable in court. I know from my experience in federal criminal cases as long as I can document things and make it so another forensic specialist can recreate it, its good. I know the long term answer is to re-educate the folks I work for now but was looking (hoping) for a short term solution. Hope that clears up the why aspect.

ReplyQuote
Topic starter Posted : 08/04/2014 5:47 am
a.nham
(@a-nham)
Junior Member

I hate to say this as it costs money, but if you already have encase…wny not take a look at encase portable as well for portable acquisition? My second question is why ftk imager in the first place, encase got a free imager? Its not as complete as ftk's free imager, but if all you need is imaging and not parsing or searching it may be something worth checking out.

Link to guidance's imager
https://www.guidancesoftware.com/products/Pages/Product-Forms/Forensic-Imager-download.aspx

You are right that proprietary forensics softwares tend to be the standard, but from what I know the court decides if you an "expert witness" and if your evidence is "forensically sound." For example, if your software has a bug for the particular evidence that you acquired, the evidence is still discarded. Manually parsed evidence is something the only evidence you can acquire in some cases (just a nature of an industry that is always changing), software just makes these automated processes faster and possible more free of human errors (debatable topic).

Yeah you definitely need to educate them, a good starting point may be that these forensic softwares just do automatically what can be done manually and that they are still subject to bugs and other limitations.

Hope that helps

ReplyQuote
Posted : 08/04/2014 6:41 am
mscotgrove
(@mscotgrove)
Senior Member

I would have thought the only really critical thing was that the file must not be changed. Therefore a hash taken on the original hard drive file would give the audit trail required. (NB, some people do not trust MD5, so take two hashes, eg SHA-256 as well).

For windows, a right click and screen dump of the file properties would log the dates.

Encase would give these details but is a sledge hammer to crack a nut.

ReplyQuote
Posted : 08/04/2014 12:39 pm
keydet89
(@keydet89)
Community Legend

For windows, a right click and screen dump of the file properties would log the dates.

The only issue I see with that is the possibility of modifying the last access date…depending upon the version of Windows, of course…which at this point, we don't know.

ReplyQuote
Posted : 08/04/2014 4:51 pm
mscotgrove
(@mscotgrove)
Senior Member

For windows, a right click and screen dump of the file properties would log the dates.

The only issue I see with that is the possibility of modifying the last access date…depending upon the version of Windows, of course…which at this point, we don't know.

I think the only to be certain of not modifying an access date is to remove the drive and read via write blocker. But with virtual servers etc this is beyond my level of knowledge.

I don't think Windows still changes access date on a read command. You have to determine this by tests to be certain for this configuration

ReplyQuote
Posted : 08/04/2014 6:46 pm
jhup
 jhup
(@jhup)
Community Legend

If "someone's" are sticklers about "Forensic Software platforms", I would take the AD1 with FTK Imager, and when you get back home you can export the files out. You get the appropriate metadata, and you can 'justify' FTK Imager, over XCOPY or COPY.

It's the "I read it on the airplane magazine" syndrome with the software requirements…

1. I'm on site and need to acquire one single file with all its meta data intact that resides on a virtual server in another state via a go-to meeting.

2. In my lab I have full EnCase to view the data later.

3. I have FTK Imager and I understand I can't view ad1's in EnCase. I have a good Robocopy script (though I tried this and it wasn't working I think do to the paths and such).

So, what are the options out there for acquiring single file/folders to view in EnCase?

ReplyQuote
Posted : 08/04/2014 7:39 pm
Cults14
(@cults14)
Active Member

If its a single file and you have access to it, can't you hash it in FTK Imager, Export it using FTK Imager (which AFAIK preserves metadata), then re-hash and compare?

I've done this several times on one major case for PSTs we had to give up to outside counsel and their Lit Support firm, sometimes used HDDs and a couple of times using FileZilla, every time the lit support people were happy

And document all steps

Method also works for a small number of files

Or did I miss something?

Cheers

ReplyQuote
Posted : 09/04/2014 4:10 pm
Share: