Hello all, In our environment we have the users using local machine, obviously, but their My Documents (MD) are mapped to a network folder. Typically this folder resides with other users folders on a raid 5. I was wondering about capturing the slack space on the raid 5 when imaging the users folder. I am not sure if this is necessary or even practical since most of our raids 5 are 400 gigs or more, and I would think that to get the slack space you would need to image the entire array. Am I over thinking the problem or understating the reality of the situation.
What have other done in this situation? The entire array, or just the folder and its contents? and the reasons why one over the other, Thanks.
Am I over thinking the problem or understating the reality of the situation.
No just realizing the breadth of the opportunity to miss possible evidence.
What have other done in this situation? The entire array, or just the folder and its contents? and the reasons why one over the other, Thanks.
The more locations you spread data across, the more locations that need to be imaged and analyzed. This will also make you appreciate some of the tools that track what users do on your network, and some of the compliance tools (HIPAA, SarbOx, etc.) that are available. It will also make you more focused as an investigator so that you learn what you need and what can be discounted.
What have other done in this situation? The entire array, or just the folder and its contents? and the reasons why one over the other, Thanks.
The more locations you spread data across, the more locations that need to be imaged and analyzed.
Jk asked "what have you done…?" I'm curious as well…have you encountered such a situation, and what have you done?
This will also make you appreciate some of the tools that track what users do on your network, and some of the compliance tools (HIPAA, SarbOx, etc.) that are available.
I'm not sure that I understand your statement clearly…HIPAA is a compliance standard…but I guess if it tells you what standard you need to attain, then in some senses, it is a tool, even if just a directional one…
H
Jk asked "what have you done…?" I'm curious as well…have you encountered such a situation, and what have you done?
I guess I should have been less cryptic. If a user has permissions to save files on a server (or is automatically redirected to a folder) and you suspect misdeeds, then it is prudent to image the network drives where evidence may exist (unfortunately this means imaging the huge arrays on servers. I have had to do this on numerous occasions. An example user was surfing/downloading inappropriate sites during work and then copying the files to a flash drive. Volume Shadow Copy ran several times during the day. If I had not imaged the servers all the data on the server would have been lost and I would have had to rely on just what was found on the local machine. Another example MS SBS environment, user folders redirected to SBS server. User was creating invoices and false expense reports in Excel. If I had not imaged the server (and the backups) I would only have had fragments of the false documents.
I'm not sure that I understand your statement clearly…HIPAA is a compliance standard…but I guess if it tells you what standard you need to attain, then in some senses, it is a tool, even if just a directional one…
HIPAA & SarbOx are standards but there are several tools on the market that can be purchased to help companies stay in compliance. Many of these tools track what users are doing.
Of course while these tools aim to make the lives of administrators easier, they also add to the complexity of an investigation because they increase the breadth of what must be examined. Because just as a second set of books can be created and hidden, someone looking to hide mis-deeds can create false reports or logs.
Wow, some items I never thought about. Thanks for the input! Though I think in our environment, State Government, unfortunately we are not going to cause issues with the end users that are not under investigation by taking the server off line so I can forensically image the raid that may have evidence in the slack space. Or maybe I need to ask the question , will FTK or EnCase image the raid to inlcude the slack space while the server is running and being accessed? If so how are investigators dealing with the extra data that doesn't pertain to the investigation?
I would suggest reaching out to the folks at BCI in Richfield for some guidance on protocol. If you image the server while it is running, especially if you are imaging a large array, changes during the imaging process will be missed. From my point of view, you image a drive(s) to capture a point in time. If you want to investigate a live environment there are other tools that are better suited to the task.
Dealing with the extraneous data especially in a server environment is a two fold problem there is the volume of data and there is the data that is not part of the investigation. The volume of data is a problem because of the amount of space/number of drives it takes to capture the data and the amount of time it takes to examine the data. In a corporate/government environment you have policies for usage and anything that happens using the business equipment is basically fair game so there should be no issues looking at the data on any drive even if it is not relevant to the investigation.
Wow, some items I never thought about. Thanks for the input! Though I think in our environment, State Government, unfortunately we are not going to cause issues with the end users that are not under investigation by taking the server off line so I can forensically image the raid that may have evidence in the slack space. Or maybe I need to ask the question , will FTK or EnCase image the raid to inlcude the slack space while the server is running and being accessed? If so how are investigators dealing with the extra data that doesn't pertain to the investigation?
A logical image using Encase or FTK will not get slack space. Using Linen is the best way to capture the array if using encase but you have to take the server down and it will take hours depending on the size.
If you end up having to capture it live you need to make sure the services are stopped and remove it from the network. I would suggest looking into getting something like Pro Discover Investigator which uses an agent for remote server capture.