Good day all, I had previously posted a question on the imaging of users home drives. I got some great info and used that to ask the 'hard' questions of management for them to make the tough choice. However I found out the using FTK Imager Lite, it took an unusually long time to collect a image from a remote server, around 850 Mb, over a T1!. I also noticed that resultant file was only about 500 Mb. I am guessing this is from the compression settings in FTK Imager Lite. Since we, my agency, are new to Forensic Analysis, I am working through each problem, and as a result constantly improving upon my skills and developing Policies and Best Practices for our agency. Sorry for the long post, but I felt the background was important. My thoughts on how to speed up the process is this
1. I would burn FTK Imager Lite to CD-rom
2. Create an ISO from that CD-Rom (I could still use the CD-Rom when on site.)
3. Using the M$ Virtual CD-Rom Toolkit, mount the ISO on the respective server when I need to imaged a users Home Drive.
4. Image the User's folder locally.
5. Perform a MD5 hash on the image created
6. copy the image to our storage server.
7. Rerun a MD5 hash on the copied image, verify the hashes
8. Unmount the ISO.
I feel this would speed up the process it would take to image and hash a 850 Mb user's folder as it would place the processing locally on the server, then the network would just copy the file.
Are there any inherent issues that I am not seeing?
Is this a Forensically sound process?
What are the pitfalls, I may run into?
Please keep in mind that travel to these sites is not realistic, example being that I was asked to image 6 user's folder in one day, they were in three different locations, the farthest being 3 hours away. It took almost 6 hours to image about 3.8 gigs of data across the LAN. Also could I reduce the time considerably and just get the lastest backup from our backup software, copy the files to my local machine and do the image from there? I would think this would not be the best choice forensically?
Thoughts? Concerns? Comments?
Have you taken any of Accessdata's classes?
Have you taken any of Accessdata's classes?
No I haven't, we have just created the P.O. to get the Ultimate Toolkit and a Forensic workstation. I was hoping that AccessData would have classes online, but I haven't looked into it yet.
Have you been in contact with anyone from BCI regarding Best Practices? I believe this may save you from recreating the wheel.
If you are imaging servers over the wire it will take a very long time on a T1 (as your traffic is probably not the only data flowing through the pipe).
Consider that FTK may not be the best tool for what you are doing. Perhaps you would be better served with a combination of network tools like ProDiscover Investigator or Incident Response, EnCase Enterprise, FBI from Nuix for E-Mail examination, etc.
As for your process, I do not anticipate that you will see a marked decrease in the amount of time it takes to image locally and then move the image over the wire versus just imaging remotely. The only way you would see a decrease in time is moving the files after hours, but then you increase the time required by waiting around to move the files.
Pitfalls security of your image on the remote server, the space required for your image (does every location have an additional server to image to?), implications (real or perceived) about the media you are copying you image to at the remote location.
Examining a backup is not the same as looking at the drive on which the data resides. Backups do not make a byte by byte copy of the drive.
Just some quick thoughts.
I am all about not reinventing the wheel, I am just short on time like everyone else. I have contacted BCI and OSP, got voice mail. when I am out of training this week, I will be making follow up calls. Best I can do. I appreciate the time everyone takes to answer noob Qs.
Good day all, I had previously posted a question on the imaging of users home drives. I got some great info and used that to ask the 'hard' questions of management for them to make the tough choice. However I found out the using FTK Imager Lite, it took an unusually long time to collect a image from a remote server, around 850 Mb, over a T1!. I also noticed that resultant file was only about 500 Mb. I am guessing this is from the compression settings in FTK Imager Lite. Since we, my agency, are new to Forensic Analysis, I am working through each problem, and as a result constantly improving upon my skills and developing Policies and Best Practices for our agency. Sorry for the long post, but I felt the background was important. My thoughts on how to speed up the process is this
1. I would burn FTK Imager Lite to CD-rom
2. Create an ISO from that CD-Rom (I could still use the CD-Rom when on site.)
3. Using the M$ Virtual CD-Rom Toolkit, mount the ISO on the respective server when I need to imaged a users Home Drive.
4. Image the User's folder locally.
5. Perform a MD5 hash on the image created
6. copy the image to our storage server.
7. Rerun a MD5 hash on the copied image, verify the hashes
8. Unmount the ISO.
I feel this would speed up the process it would take to image and hash a 850 Mb user's folder as it would place the processing locally on the server, then the network would just copy the file.Are there any inherent issues that I am not seeing?
Is this a Forensically sound process?
What are the pitfalls, I may run into?Please keep in mind that travel to these sites is not realistic, example being that I was asked to image 6 user's folder in one day, they were in three different locations, the farthest being 3 hours away. It took almost 6 hours to image about 3.8 gigs of data across the LAN. Also could I reduce the time considerably and just get the lastest backup from our backup software, copy the files to my local machine and do the image from there? I would think this would not be the best choice forensically?
Thoughts? Concerns? Comments?
It sounds like you need Encase Enterprise or Pro Discover. Both tools are made for exactly what you are trying to do. They push out an agent to the server in question then allow you to image remotely. Take a look at the below links.
http//
http//
R-Studio is also a best-price solution in this kind of environment.
R-Studio is also a best-price solution in this kind of environment.
I thought R-Studio only allows you to write your image to a network share I didn't realize that you can image across the network. Ill have to tak a second look at the product.