I've been tasked with imaging a (250GB+) hard drive off a running server remotely. I don't have access to the machine nor can I have a HD connected to it. I trying to image the device through FTK Imager Lite via Remote Desktop connection using a USB HD connected to my imaging computer to facilitate the storage of the forensic image. I'm looking at the ETA and it says that it will take 520Hours to complete (21 days). I'm using 9 (high) compression to reduce the amount of data I have to transfer via Internet.
Question Has anyone done this before and will the ETA count down rapidly at any point? (21 days is a long time).
Any other comments or suggestions would be greatly appreciated.
So….are you (network) local to the server? How are you seeing the drive/volumes on your examination machine? Could you do a target collection of the logical files as opposed to disk image?
Just re-read OP…Internet? Are you going over Internet to public IP and RDP port routed?
Thank you douglasbrush,
Network is not local to the server. I'm imaging the server using FTK Imager running off the server and not my examination machine. Writing the data to a HD which I have setup to share using Remote Desktop Options Local Resources option.
If I could do a targeted then the amount of data to transfer would drastically be reduced and thus make this a much easier process. Trying to get approval for that. I guess I would robocopy the target data, then zip it and FTP the ZIP's? Thoughts?
I assume Doug is intimating that you may have issues with Data In Transit security standards using your current method.
Didn't get that from his post but I'm using AD Encryption setting.
I think it is common to be that long via WAN,it is tough work to remote image a big 250 drive.
Greetings,
You could run a test… Create an image of any handy drive with a similar OS using the same options you're using remotely. Determine the image size and scale it up or down to bring it in line with your 250GB real source. Now, determine your bandwidth. Lastly, calculate how long your test image would take over that connection.
I'd not want to image 250GB over a LAN, much less a WAN using RDP. There's really no other way to do this?
-David
Ok so maybe I was baiting a little 😉
What about using RDP or LogMeIn* to a machine on the same subnet/segment? Then RDP from that host to the server to set up F-Response so you can collect the physical drive via iSCSI?
Have that computer with a collection drive (USB is ok - eSATA or firewire would be better) that is on the same locale of the server.
Run F-Response with FTK Imager. Verify, etc.
Copy image to secondary drive. Verify, etc.
Ship one overnight. Verify in lab. Then second on second day.
Make sure whoever is on the collection end fills out our CoCs and sends copies with drives.
Alternative is to ship a laptop pre-configured and have someone with some IT skills get it on the network so you can do the collection process described above.
You first option should be trying to get "behind the firewall" as much as you can. In and out of NATs, ports, wires, firewalls, Internet, etc just has too many failure points, security concerns and speed issues.
* I like LogMeIn because it has some nice built in auditing capabilities on both the free and paid flavors. Also all the communication is encrypted.
Is there any other location on the server you can store the FTK Lite image? Performing the live acquisition to another share and transferring via FTP would be less complex. If the bandwidth is good you can get the image in ~24 hours.
By the way, I have seen robocopy choke on large number (300K+) of files for some reason on Win7Ent…