I have come across these in a live situation before but this is the first time that one has been passed to me.
Any thoughts on the best way to tackle this? What is the "cleanest" methodology. I could image each of the 4 drives directly and attempt to reconstruct the RAID but that tends to be a last resort with me. Client is happy with an image of the logical volume so physical images of all 4 drives is not required.
Can you connect to the NAS via Microsoft iSCSI Initiator?
I've imaged Buffalos logically over a LAN in a training situation using FTK imager. I seem to recall that I mapped a drive to the NAS first, then ran FTK. (If you want I can pull my Buffalo out, give it a run tomorrow and tell you what works for me here.)
As you said, unless you need to look into slack or unallocated space, doing a logical image will prevent you from having to deal with XFS or reconstructing a hardware RAID5. Not necessarily a big deal, but why do it if you don't need to?
You may want to set up a small LAN with only your imaging box, a router/switch, and the NAS on it in order to keep it isolated & clean. You may also want to use an external HD or RAID on your imaging box to store the image - it could be rather large.
As long as you have no difficulties accessing the NAS or with the fact that its IP address on your network may be different than on the one it was originally located on, it shouldn't be a problem.
I would make notes on the network setup as well as the NAS's configuration settings, MAC address, etc. however just in case there are any network related questions or issues that eventually pop up.
You may want to power it up before connecting it to your new LAN in order to get its original network settings. If I recall, they should flash across the LED screen on the front of the NAS.
(And don't forget to take good notes about what you do.)
Here's a short list of some of info you might want to record
Administrator Username
Administrator Password
Date & time on NAS, imaging box, wall time
NAS time zone
NAS IP, subnet mask, MAC address
RAID mode (e.g. RAID2)
Number of disks
Disk structure (e.g. 1,2,3,4)
Total disk capacity
Total space used
File format (XFS?)
If a lot of this is self evident, I hope you'll forgive me.
I hope it helps a little.
If you know the raid configuration of the NAS box i.e. is it RAID 1234 or 5 (This is usually configured via a series of jumpers in the back of the device or the device will have a default)
You can then disassemble the NAS box making note of the order in which the drives were RAID'ed, image them individually and load them into EnCase. In EnCase you can then right hand click on each drive and edit their drive configuration and replicate the RAID in EnCase.
I’m still tempted to say that you should set it up on a LAN and image it live.
You won’t change the time stamps or any of the configuration settings except for the IP, DNS, and some of the other network information info. The Terastation’s log file will record what you have done on the system, so you may want to download that too.
As for my previous posting, my bad…
My Terastation ("Buffalo Terastation Live") gives itself an APIPA address if you power it up without connecting it to a network so I wasn't be able to get old network settings.
When connected to the network it used DHCP to obtain an address - which is why you may want to use a small home router on the LAN in order to hand out an IP address to it.
Also, I just tried to connect to it without installing the connection software from the CD that comes with it. No go… I had to run the "Connect this PC to TeraStation" option. After that a network share for it showed up on my PC.
At that point I was able to image the Terastation share using FTK imager and selecting the "Contents of a Folder" option for the image.
As for accessing the configuration settings, I did it by typing in the machine's IP address into my browser, and logging on.
On the settings front, the Share, User, and Group information might be important if you are interested in determining who had access to the different folders on the NAS.
I was able to save the web pages containing the settings information by using the FILE > SAVE AS option in IE. It was messy however and required renaming the pages. The pages are written using CGI scripts and don't save well. But if you’ve encountered them live, you probably know all about this.
When I save log file or setting info off of home routers or of other devices that can only be accessed via a browser, I always check carefully to make sure I get what I wanted. This is one of those cases where screen shots or a tool like Snaggit might work better. Then again you could just copy out the info into a Word or text file and MD5 those files when you're done.
I needed the administrator logon and password to do all this. If you don't have it, you may have no other option except to pull out and image the drives. Finally, I did this on a "Terstataion Live" and presumably other models will have different behaviours/peculiarities/issues.
As for how "clean" this is, I suppose that's the old dead vs. live problem. Nothing I did altered the imaged files’ contents or time stamps. I did alter the IP settings and the log file, but since the system doesn’t keep them anyway once it’s turned off, that’s kind of moot. Were some of the OS files modified when the system was turned on or connected to the new network? Maybe, but it sounds like in your situation that’s not important.
Don't mean to P*** on anyone chips but if you image the drive as a network share you won't get any unallocated clusters. Just a thought.
erowe, many thanks for such detailed info.
Your methodology was basically what I was anticipating but you have given more info than I expected. Yes, it is a compromise, but sometimes that's just the way it is.
Next issue, I don't have the CD you referred to but assume I can get it from the Buffalo website
Don't mean to P*** on anyone chips but if you image the drive as a network share you won't get any unallocated clusters. Just a thought.
I agree, but as was stated by pbeardmore "Client is happy with an image of the logical volume". To me that means no slack or unallocated needed.
Also, do you want/need/have-the-time to go through potentially Terabytes worth of unallocated…
Maybe because I'm mostly involved in live network & server related forensics, I'm a little wary of grabbing that much data unless I expect a big payoff for it or problems if I don't seize it.
At some point you have to do some triage unless you have a client with big pockets.
I guess the other question is what are you after? Images, databases, spreadsheets, documents? If I were looking for child porn, I would definitely look at unallocated in case the images had been deleted. If I were looking for sales or fraud related info in a database, I probably wouldn't.
Encase cant handle any type of NAS. Its proprietary not something like NTFS or FAT.
I am in danger of widening this discussion but I think the days of automatically making a physical image of every drive within an investigation are numbered.
For various reasons, a more focused selection of data capture has to be a developing trend over the medium term.