Hello,
asking for advice in the following situation. I am trying to acquire disk image from a laptop. Dismantling case to take out HD is not an option. I understand best option then would be the following:
- booting the evidence laptop from a forensic programme on a CD (or USB stick)
- acquiring disk image through USB, transferring it into an external disk
Â
My questions are the following:
- First, is the above described method appropriate?
- Use of write blocker seems widely recommended. Is it a must here? I struggle to see the extent of change that can be done on the evidence drive in that configuration (Important precision: training context here, not a legal forensic case. I am willing not to "spoil" the evidence drive though so happy to hear views).
- I am hesitating between using FTK imager or Paladin. Is choice only down to personal preferences for what I am trying to achieve here, or any other parameter I should take into account? I am open to other software suggestions, as long as (i) it's free and (ii) it's relatively easy to use (I am learning)
Thanks for the help
- First, is the above described method appropriate?
Â
Probably, but you need to ensure that you can indeed boot the laptop from an external medium. If you can't, and you can't/won't extract the HDD itself, the only general option that is available is a live acquiry. If you are familiar with the laptop, you may be able to say 'yes, you can make it boot from a CD/USB/whatever'. If so, fine.
- Use of write blocker seems widely recommended. Is it a must here? I struggle to see the extent of change that can be done on the evidence drive in that configuration (Important precision: training context here, not a legal forensic case. I am willing not to "spoil" the evidence drive though so happy to hear views).
Â
It may save you from mistakes and fumble-errors. Such as getting confused between the source drive and the destination drive. It's has saved me more times than I want to remember. But it assumes you can get one installed in the right place. (No, I don't mean soft write blockers.) And it seems you're restricted in that respect.
If you manage to boot a forensic distro that you *know* (preferrably from your own experience or tests) doesn't automount the source disk, the risk is minimal. But ... if you assume its safe, and it isn't, you need to be able to explain your choice of method, and also describe the extent of the damage. Factually, not by wishful thinking.
- I am hesitating between using FTK imager or Paladin. Is choice only down to personal preferences for what I am trying to achieve here, or any other parameter I should take into account? I am open to other software suggestions, as long as (i) it's free and (ii) it's relatively easy to use (I am learning)
Â
Not entirely. You should image into a format that you can deal with with a minimum of hassle later. As I don't know what tool you are using, I have no recommendation.
Â
Hi Benot,
Regarding your second question (FTK imager or Paladin), it's important to note that there is a major difference between the two. Paladin is a bootable forensic OS with a suite of tools including imaging utilities. On the other hand, FTK Imager is a single imaging app and needs an OS in order to be used. So if you will be doing a live image of the hard drive with FTK Imager, then you should be able to use the OS of the laptop being imaged.
If you plan to image the hard drive while the machine is off and want to image with FTK Imager, you will need to use a Windows-based bootable OS like WinFE ( https://www.winfe.net/). WinFE is free but does require some work to build. If I recall, you may need to download FTK Imager from the AccessData website so that it can be compiled into your WinFE build.
Neither Paladin nor WinFE will automount the drives. Each OS essentially has a write-protect software utility that lets you choose which drive to mount, if you choose to do so. A drive can be mounted as read-only (the laptop drive you want to image) or read/write (your external media where the image will be copied to). It's not a perfect solution for write-blocking, but it is an accepted practice when forensically imaging drives that cannot be removed. I would recommend testing whichever solution you decide to use (as you should always do with forensic tools) to make sure the write-protect functionality works.
Hopefully this is helpful. Best of luck.
As @athulin said, being able to boot from an external media is the first question. Depending on how the laptop is secured, you may not be able to all, or attempting to do so by altering the boot configuration can compromise the ability to boot at all but that's a pretty extreme lockdown.
Unless the laptop is fairly old or otherwise customised, it llikely uses UEFI instead of legacy BIOS so a boot CD probably is not an option. That leaves a thumb drive.
A write-blocker is not even possible if you can't access the HD.
I've had successes using Paladin and CAINE. Both support UEFI capabilities. Sometimes one works and the other doesn't so try both.
The point with modern firmware (usually crappy) UEFI based, is that EVEN IF you can access/change boot settings it is not given that a CD or USB stick will boot at first try from exteral media and if it doesn't the machine will proceed to boot the installed OS (which is essentially what you want to avoid).
In theory you should document yourself as much as possible on the specific machine BIOS/UEFI and its capabilities and settings and its behaviour, BEFORE attempting booting *anything* from it (you have only one shot), Â ideally you should procure an identical notebook and experiment with it.
On the other hand, IF the case at hand is of such a low relevance as not to grant the possibility to remove the internal storage device, maybe it is not so vital to do all the proper steps to prevent in an absolute sense the contents and you can simply boot the machine normally (of course taking notes and possibly even filming the process) and from the installed OS run the program to make the image.
Of course there are some risks with booting the machine, for all you know the installed OS could autorun at startup a program and if you do not within  -say - 15 seconds open a command prompt and run a given command, the program will silently start a cryptoware encrypting all documents with a random key.
jaclaz
Â
[...] Paladin [...] will automount the drives
https://dfir.ru/2018/07/25/a-live-forensic-distribution-writing-to-a-suspect-drive/
@thefuf - That reference is to older versions. Also you left out the "neither" in the quote, reversing the statement.
The current Paladin version is 8.01 I believe, is this still an issue?
On Windows Forensic Environment/Windows FE/WinFE
The original source for all-things-WinFE is here: https://winfe.wordpress.com/
There are two current build methods:
1) Mini-WinFE 10 using PE Bakery/Winbuilder at https://winfe.wordpress.com/winfe-quick-download-links/
2) WinFE 10 using Colin Ramsden build method at https://www.winfe.net
Both use the same write-protect app (written by Colin Ramsden). #1 is an easier build method, but #2 can be built to boot ARM devices.
As of today (July 2020), these are the current builds and build methods. Be careful with other links and downloads because you may be using an older write-protect app, which will still work but is not updated or maintained.
My opinion on boot discs is that if Linux is not commonly used by the examiner, it increases the risk of the user making errors or misinterpreting which drives are on/offline and which drives are evidence/not evidence. Running imaging software that is not commonly used also can risk errors if you've only used it a few times or never.
WinFE, using FTK Imager, can be easily used by the vast majority of examiners because it is Windows and FTK Imager. Linux might be better, or maybe not, but to reduce errors, it is hard to beat using a common OS and a common imaging tool.
As an aside, I am an avid believer in the Linux forensic boot OSs (especially Paladin) and use them just as much as I use WinFE, depending on the situation that I have in front of me to work with.
Â
Here is the actual documentation of mini-winfe:
http://mistyprojects.co.uk/mistype/mini-winfe.docs/readme.html
And the ones for the (older, but docs are still largely valid) Winbuilder version of the Winfe:
http://mistyprojects.co.uk/documents/WinFE/winfe.htm
I guess that Misty deserves some mention for all the good work he did in the early phases of the tool.
jaclaz
Â
Â
Â
Â