Imaging or collecting evidence for a highly distributed and highly heterogeneous network is very cumbersome.
Although there are solutions where one can load software on the target machine, allowing remote collection, this process relies on the network connection to be present, secure, and sufficiently high in bandwidth. This is often time-consuming and expensive to achieve.
So, I am trying to find something simpler. I am aware there are commercial products that does something similar.
I would like to create bootable CD and USB images, scripted to allow collection of either a full image, only files image, or only "documents & logs".
I imagine it in the following way
the local IT guy receives an ISO from me
Local IT guy burns ISO
Local IT guy walks up to target machine, which is powered down
Local IT guy calls me, and I walk him through
insert CD
power on
change BIOS to boot from CD/USB
reboot
script hashes itself
script asks for destination storage to be connected (USB, Firewire)
script recognizes insertion and marks it as destination
verify destination is clean/empty, hash?
script finds all possible source storage devices and lists them
IT guy picks source
IT guy picks method of collection (full, files only, "docs & logs" only)
script verifies there is sufficient storage on destination for selected method
hash source
collection begins
hash destination
record all steps taken onto destination
IT guy ships me the destination device.
no need for pretty graphics. All command line would just be fine.
Any suggestion?
If not, I guess I will have to write it myself.
Greetings,
I look at that list and think "Oh my, so many places for the process to break down" and "Wow, that'll be difficult to code in a reliable, user friendly, manner."
There are several commercial solutions that I've evaluated - Titan Collector, EnCase Portable, and Pinpoint One Click Collect. They all cost real money, but all of them address most of the steps you describe above and none of them require network bandwidth.
I'm very much in favor of writing tools yourself, and am on a bit of a tear against the high cost of commercial tools, but this is one area that is complex enough that I feel the commercial solutions may be the best choice.
-David
'Programatically', the only major problem I foresee is with device recognition, in general and when inserted, specially USB and Firewire.
Where else do you see a problems?
If I would write this, I would not attempt to write each piece and part initially, but would use existing tools that can do specific tasks. I would simply chain them together and allow sharing of information.
Greetings,
If you're going to chain existing tools together, a fair bit of my concern goes out the window. There's still
1) Well, it looks like you're talking about a bootable CD so it'll need to handle a wide variety of hardware and file systems.
2) There's a fair bit of user interaction which needs to be done with care.
Getting that chain to work reliably still seems like a lot of effort, and my two points above have already been done by various "forensically sound" distros.
Why not just teach your IT people to use FTK Imager or Helix?
-David
Bit of a long shot but why not contact Evidence Talks - they develop software/hardware which might be able to help.
Should have elucidated.
I am looking at although a wide range of devices, they are all Intel based machines of post year 2000, and Windows XP or later.
1) Right, bootable CD/USB. Either a Linux distro, or DOS.
2) User interaction is what I would want to minimize.
In my example other than
- change/verify BIOS,
- insert CD/USB,
- select source (possibly scripted if there is only single source found),
- attached destination device
- select method (can be scripted into the image)
There should be no additional interaction.
Training of FTK Imager of Helix would require, in my opinion much more.
The issues are language barrier, limited IT expertise, lack of willingness to learn, and limited willingness to allocate time.
I am attempting to make an "idiot proof" collection kit.
I have to look into if FTK Imager or Helix can be scripted.
I can provide a bit of experience in attempting to do this (I only say attempting because my last version of this type of product was still beta when I left the company I did it for).
If you want to roll your own, then I would suggest looking at Linux From Scratch (http//
What I did was build a CD that would boot up and go to a command prompt. The user would be prompted to type in a command which would launch a perl script. The script would detect the local computers drive, then ask the user to insert the "supplied USB external drive", then detect the location of the drive (/dev/sdb, etc), then it would mount that drive to a particular point, and finally run a script we had already been using for imaging with dcfldd (that script would take care of the imaging, hashing, etc). Then when it was done it would unmount the USB drive and tell the user to type a command to shut the machine back down.
Now, the drive detection was the hardest part for me. Mainly because I couldn't figure out how to determine which drive was which. And even the method I came up with wasn't foolproof.
The other thing to think about is how you'll test it. I used VM's to build and test initially, and then tested on a couple of machines that I had, but I wasn't really comfortable with trying it out on a "production" job when I left.
What I would probably suggest, is you build an initial release for a specific type of scenario. Make it simple so you can repeat it a few times to get the bugs out. Then start to expand it out to other types of systems, drive types (there's a difference between how *nix sees IDE, SATA, USB, etc), etc.
What I was hoping to do long term was make a setup that I just ship one external usb/sata drive with two paritions, one for the custom OS and one for the "destination image". Never got there though p
Trust me once you get started you'll see there's a bit more to it that you have to consider….
But good luck with it!
Tom
jhup said "I am attempting to make an "idiot proof" collection kit."
But then they'll hire a better idiot. lol
My solution isn't Open Source but it works for me.
I use ProDiscover Incident Respone. It has an agent that can be pushed out silently to systems of interest to capture live disk and memory images. It can even capture the bios. Oh yeah, it's scriptable in Perl and no dongle.
I have a laptop and USB Storage (WinXP) that I can deploy to remote locations, in the US. I use remote desktop to login to the system. This way I can capture the image at LAN speed rather than WAN speed. All I need at the remote site is someone that can plug the system in to the network and power, then power it on. When I'm done they ship it back.
TonyC