Hi All
I have not personally imaged over a network but I have seen this done using EnCase Enterprise. As mentioned it is particularly expensive but I would say well worth the money for a big organisation. To be able to do it though a servlet must be placed on the PC that is to be imaged. Guidance swear that this servlet will stand up in court as not interfering with evidence just enabling remote imaging to take place. In a large organisation these servlets could be made part of the standard build making any PC immediately available to review and/or image.
Using enterprise over a network also enables you to review the RAM of a PC during an attack, something not possible when imaging a "dead" PC.
Being a huge proponent of Open Source tools (until I get my commercial tool set together that is..) The easiest way to image a disk across a network using opensource tools is using dd/sdd/dcfldd and netcat or cryptcat. No it's not fast but it works and it's free!
A quick method is to do this.
On the machine you want to create the image on, start a netcat listener and pipe it to a file as follows:
nc -l -p <arbitrary port> | dd of=/path/to/file
so: nc -l -p 10000 | dd of=/fevidence/case001.img
On the evidence machine, you would have to run something like this(from a clean media source):
dd if=/dev/hda | nc 1.2.3.4 10000
For those that question the accuracy of programs like dd, the NIJ released this report early this year:
A few Excellent tools are:
Helix:
F.I.R.E
I've been using Helix recently too, nice collection of tools.
Jamie
I'd forgotten aboth the Odessa project, is it still alive?
(Welcome to Forensic Focus BTW)
Jamie
Thanks for the welcome…your site is great. Yes, ODESSA is still up and running from what I hear.
I followed your link for Helix and downloaded the iso, Wow - I love it to bits.
Over the last week I have been imaging locally using it and the graphical dd front end - GRAB, also written by Helix's author. Its is fast and simplistic, and split the dd image without any trouble what-so-ever. What a cool peice of kit.
I have been practicing with it and can tell straight away its quite fast, it verifies an MD5 hash, and can compress an image - just like the EnCase accuire function. I did a 40 GB HDD with FAT32 file system in about an hour. Which as an alternative to using an expensive piece of hardware like Fastbloc is not to be sniffed at. I was able to import the dd image file into EnCase and examine the file structure.
Andy
Hmmm, I couldn't get GRAB to work and had to revert to the command line (good practice I guess!) Mind you I was using an ancient hardware setup…most of my time was spent fiddling with the HELIX startup options just to bring up the screen 😡
Jamie
Hi Jamie, a mistake I made at first was that I forgot to mount the target drive at /mnt/mynamedfolder. You have to do this at the command line (I used the forensic shell).
It needs to be done like this: mkdir /mnt/mynamedfolder (I used ‘dest’ as my destination folder name).
I had a source drive as hdb1 and my target hda1.
Then I used the command mount –t auto –o rw /dev/hda1 /mnt/dest
This mounted my destination drive hda1 read/write mode. I then powered up GRAB and selected hdb as source and manually typed /mnt/dest in the destination field.
GRAB then trundled away imaging, and verifying at the end. It was quick, far quicker than I expected. GRAB also allows you to compress the final image file (just like EnCase).
I was able to add the final raw DD image file into EnCase, find the boot record and directory entry at sector 63 and rebuild the file structure. Bang there it was ready for investigation in EnCase.
I don't know why you had startup problems with it? It worked fine for me, I just allowed it to boot and it worked just fine. You might want to check you got the whole iso downloaded correctly, check its MD5 hash against the one listed on the web site. You might have a corrupt download. I had a simliar problem with PSK - Knoppix a while back.
Andy
Thanks Andy. It's been a couple of weeks since I used HELIX and to the best of my recollection I was mounting the target drive correctly before trying to use GRAB (or, more accurately, I'd already gone through the stage where I thought "Why isn't this working?" and then realised the drive wasn't mounted 😳 )
I suspect the problem may have just been the age and inadequacy of the hardware I was using at the time (a very old, low RAM PC). That accounted for the startup problems at least, I had to boot using the "failsafe" mode and set the screen refresh rates manually before I could get things up and running (the MD5 was OK).
I plan to try HELIX again on a more suitable platform soon!
Jamie