Join Us!

Notifications
Clear all

Laptop imaging  

Page 1 / 2
  RSS
Benot
(@benot)
New Member

Hello,

asking for advice in the following situation. I am trying to acquire disk image from a laptop. Dismantling case to take out HD is not an option. I understand best option then would be the following:

- booting the evidence laptop from a forensic programme on a CD (or USB stick)

- acquiring disk image through USB, transferring it into an external disk

 

My questions  are the following:

- First, is the above described method appropriate?

- Use of write blocker seems widely recommended. Is it a must here? I struggle to see the extent of change that can be done on the evidence drive in that configuration (Important precision: training context here, not a legal forensic case. I am willing not to "spoil" the evidence drive though so happy to hear views).

- I am hesitating between using FTK imager or Paladin. Is choice only down to personal preferences for what I am trying to achieve here, or any other parameter I should take into account? I am open to other software suggestions, as long as (i) it's free and (ii) it's relatively easy to use (I am learning)

Thanks for the help

Quote
Posted : 10/07/2020 2:47 pm
athulin
(@athulin)
Community Legend
Posted by: @benot

- First, is the above described method appropriate?

 

Probably, but you need to ensure that you can indeed boot the laptop from an external medium.  If you can't, and you can't/won't extract the HDD itself, the only general option that is available is a live acquiry.  If you are familiar with the laptop, you may be able to say 'yes, you can make it boot from a CD/USB/whatever'.  If so, fine.

- Use of write blocker seems widely recommended. Is it a must here? I struggle to see the extent of change that can be done on the evidence drive in that configuration (Important precision: training context here, not a legal forensic case. I am willing not to "spoil" the evidence drive though so happy to hear views).

 

It may save you from mistakes and fumble-errors. Such as getting confused between the source drive and the destination drive. It's has saved me more times than I want to remember. But it assumes you can get one installed in the right place. (No, I don't mean soft write blockers.) And it seems you're restricted in that respect.

If you manage to boot a forensic distro that you *know* (preferrably from your own experience or tests)  doesn't automount the source disk, the risk is minimal.  But ... if you assume its safe, and it isn't, you need to be able to explain your choice of method, and also describe the extent of the damage. Factually, not by wishful thinking.

- I am hesitating between using FTK imager or Paladin. Is choice only down to personal preferences for what I am trying to achieve here, or any other parameter I should take into account? I am open to other software suggestions, as long as (i) it's free and (ii) it's relatively easy to use (I am learning)

 

Not entirely.  You should image into a format that you can deal with with a minimum of hassle later.  As I don't know what tool you are using, I have no recommendation.

 

ReplyQuote
Posted : 10/07/2020 4:52 pm
Tacobreath
(@tacobreath)
New Member

Hi Benot,

Regarding your second question (FTK imager or Paladin), it's important to note that there is a major difference between the two. Paladin is a bootable forensic OS with a suite of tools including imaging utilities. On the other hand, FTK Imager is a single imaging app and needs an OS in order to be used. So if you will be doing a live image of the hard drive with FTK Imager, then you should be able to use the OS of the laptop being imaged.

If you plan to image the hard drive while the machine is off and want to image with FTK Imager, you will need to use a Windows-based bootable OS like WinFE ( https://www.winfe.net/). WinFE is free but does require some work to build. If I recall, you may need to download FTK Imager from the AccessData website so that it can be compiled into your WinFE build.

Neither Paladin nor WinFE will automount the drives. Each OS essentially has a write-protect software utility that lets you choose which drive to mount, if you choose to do so. A drive can be mounted as read-only (the laptop drive you want to image) or read/write (your external media where the image will be copied to). It's not a perfect solution for write-blocking, but it is an accepted practice when forensically imaging drives that cannot be removed. I would recommend testing whichever solution you decide to use (as you should always do with forensic tools) to make sure the write-protect functionality works.

Hopefully this is helpful. Best of luck.

ReplyQuote
Posted : 11/07/2020 1:36 am
watcher
(@watcher)
Member

As @athulin said, being able to boot from an external media is the first question. Depending on how the laptop is secured, you may not be able to all, or attempting to do so by altering the boot configuration can compromise the ability to boot at all but that's a pretty extreme lockdown.

Unless the laptop is fairly old or otherwise customised, it llikely uses UEFI instead of legacy BIOS so a boot CD probably is not an option. That leaves a thumb drive.

A write-blocker is not even possible if you can't access the HD.

I've had successes using Paladin and CAINE. Both support UEFI capabilities. Sometimes one works and the other doesn't so try both.

ReplyQuote
Posted : 11/07/2020 5:07 am
jaclaz
(@jaclaz)
Community Legend

The point with modern firmware (usually crappy) UEFI based, is that EVEN IF you can access/change boot settings it is not given that a CD or USB stick will boot at first try from exteral media and if it doesn't the machine will proceed to boot the installed OS (which is essentially what you want to avoid).

In theory you should document yourself as much as possible on the specific machine BIOS/UEFI and its capabilities and settings and its behaviour, BEFORE attempting booting *anything* from it (you have only one shot),  ideally you should procure an identical notebook and experiment with it.

On the other hand, IF the case at hand is of such a low relevance as not to grant the possibility to remove the internal storage device, maybe it is not so vital to do all the proper steps to prevent in an absolute sense the contents and you can simply boot the machine normally (of course taking notes and possibly even filming the process) and from the installed OS run the program to make the image.

Of course there are some risks with booting the machine, for all you know the installed OS could autorun at startup a program and if you do not within  -say - 15 seconds open a command prompt and run a given command, the program will silently start a cryptoware encrypting all documents with a random key.

jaclaz

 

ReplyQuote
Posted : 11/07/2020 10:39 am
thefuf
(@thefuf)
Active Member
Posted by: @tacobreath

[...] Paladin [...] will automount the drives

https://dfir.ru/2018/07/25/a-live-forensic-distribution-writing-to-a-suspect-drive/

ReplyQuote
Posted : 11/07/2020 12:26 pm
watcher
(@watcher)
Member

@thefuf - That reference is to older versions. Also you left out the "neither" in the quote, reversing the statement.

The current Paladin version is 8.01 I believe, is this still an issue?

This post was modified 4 weeks ago by watcher
ReplyQuote
Posted : 11/07/2020 7:32 pm
thefuf
(@thefuf)
Active Member

@watcher

Yes, it is.

ReplyQuote
Posted : 11/07/2020 8:24 pm
bshavers
(@bshavers)
Active Member

On Windows Forensic Environment/Windows FE/WinFE

The original source for all-things-WinFE is here: https://winfe.wordpress.com/

There are two current build methods:

1) Mini-WinFE 10 using PE Bakery/Winbuilder at https://winfe.wordpress.com/winfe-quick-download-links/

2) WinFE 10 using Colin Ramsden build method at https://www.winfe.net

Both use the same write-protect app (written by Colin Ramsden). #1 is an easier build method, but #2 can be built to boot ARM devices.

As of today (July 2020), these are the current builds and build methods. Be careful with other links and downloads because you may be using an older write-protect app, which will still work but is not updated or maintained.

My opinion on boot discs is that if Linux is not commonly used by the examiner, it increases the risk of the user making errors or misinterpreting which drives are on/offline and which drives are evidence/not evidence.  Running imaging software that is not commonly used also can risk errors if you've only used it a few times or never.

WinFE, using FTK Imager, can be easily used by the vast majority of examiners because it is Windows and FTK Imager. Linux might be better, or maybe not, but to reduce errors, it is hard to beat using a common OS and a common imaging tool.

As an aside, I am an avid believer in the Linux forensic boot OSs (especially Paladin) and use them just as much as I use WinFE, depending on the situation that I have in front of me to work with.

 

ReplyQuote
Posted : 11/07/2020 9:32 pm
jaclaz
(@jaclaz)
Community Legend

Here is the actual documentation of mini-winfe:
http://mistyprojects.co.uk/mistype/mini-winfe.docs/readme.html

And the ones for the (older, but docs are still largely valid) Winbuilder version of the Winfe:
http://mistyprojects.co.uk/documents/WinFE/winfe.htm

I guess that Misty deserves some mention for all the good work he did in the early phases of the tool.

jaclaz

 

 

 

 

ReplyQuote
Posted : 12/07/2020 9:29 am
bshavers
(@bshavers)
Active Member

Misty deserves a lot of credit 🙂

Anything that I've ever written denotes Misty as one of the most helpful contributors to WinFE's development in WinBuilder/PEBakery, as well as many others to every aspect of the development of WinFE.

ReplyQuote
Posted : 24/07/2020 7:26 pm
Benot
(@benot)
New Member
Posted by: @thefuf
Posted by: @tacobreath

[...] Paladin [...] will automount the drives

https://dfir.ru/2018/07/25/a-live-forensic-distribution-writing-to-a-suspect-drive/

@thefuf thanks for pointing this out. Just to make sure I got this right:

- Is this reported problem only an issue in terms of making forensic conclusions legally valid (i.e. different checksum for the same drive, as reported in the note) or does that mean erasure of forensically-useful data? 

- Does the same happen with WinFE?

 

ReplyQuote
Posted : 05/08/2020 1:37 pm
jaclaz
(@jaclaz)
Community Legend
Posted by: @benot

 

- Is this reported problem only an issue in terms of making forensic conclusions legally valid (i.e. different checksum for the same drive, as reported in the note) or does that mean erasure of forensically-useful data? 

- Does the same happen with WinFE?

 

This (and other) behaviours may happen on Linux systems that have not been fully vetted for forensics use, even if they only happen in "edge" cases, they are "disturbing".

WinFE has been developed EXACTLY to avoid these kind of issues and each and every "automount" features of the OS have been disabled.

Only for the record, and now outdated by WinFE, the greater risks in attaching a disk to a NT system were:
1) change of disk signature (in the MBR)[1] 
2) automount of partitions (and then autostart programs might write to them)[2]

Both could be easily worked around by:
1) boot to a grub4dos (from another device)
2) copy the MBR to a file (on another device)
3) wipe the MBR (or just write 00 over the Magic Bytes 55 AA)

This way the disk - for all *any* Windows NT knows - is uninitialized and as such nothing will be changed/automounted/whatever.

4) attach the disk to a machine running NT
5) make a (dd) image of the disk
6) restore the MBR from file onto first sector of the disk image
7) reboot to grub4dos
8) restore the MBR from file to disk

jaclaz

 

[1] automatic and not preventable in a number of situations, that are actually 2 of which only 1 can actually happen in real life (disk haveing a blank disk signature, i.e. having been never connected to a NT system)
[2] extremely rare and only happening if the NT system has been setup and managed by a moron

ReplyQuote
Posted : 05/08/2020 2:34 pm
thefuf
(@thefuf)
Active Member

- Is this reported problem only an issue in terms of making forensic conclusions legally valid (i.e. different checksum for the same drive, as reported in the note) or does that mean erasure of forensically-useful data?

Wiping the $LogFile journal on an NTFS volume? Syncing data on RAID-1 drives? That's lots of useful data. However, vendors use different wording.

Compare this (not related to PALADIN but to a different distro):

OSFClone may not be forensically sound when imaging drives with ext2/3/4 filesystems. During internal testing it was found that if the evidence drive is connected during system start up, it is possible the first superblock (typically offset 1024 within the partition) on the ext2/3/4 filesystem the drive may be altered. Values that were changed include the last mount time, last write time, mount count and a byte at location 0x0178 within the superblock.

To this:

OSFClone is not forensically sound when imaging drives with Ext3/4 file systems. It can recover such a file system using its journal, if this file system is in an unclean state (e.g., hibernated or after pulling the plug). This means that file system metadata (including file timestamps) can be altered without any user interaction (the amount of modified file system metadata can't be estimated in advance, it can be several bytes only or, for heavily loaded systems, it can affect hundreds of files). If data journaling is enabled, this can affect file contents too. In many cases, you don't know what file system types are on a storage media you need to acquire, what are their states, and how many file system operations have been logged but not committed yet. Also, under some conditions you won't be able to tell if any modifications have been done by an acquisition tool after you finish the imaging and power off the system, so if anyone (like a court) asks you whether an acquisition tool modified the drive or not, the right answer in this situation will be "I don't know".

Or compare that post linked before to a typical reply: "our software is NIST-validated".

ReplyQuote
Posted : 05/08/2020 3:15 pm
Bunnysniper
(@bunnysniper)
Active Member

Do yourself a favor and buy some good screwdrivers, disassemble the laptop, take out the hard drive and go the forensic sound way. Obviously this is some kind of insider case....getting rid of an employee should be worth the acquisition of screwdrivers and a write-blocker.

I am using my own version of WinPE for forensic purposes (this here is from me)  and I never ever had a case, where I had to use my bootable WinPE/ WinFE for a case that could potentially go to a court. If it is a case, that could make it to the lawyers, I always go the forensic sound way (see first sentence). 

In all other cases I have used a bootable Windows, we were facing an Incident Response scenario, where the bad guys are unreachable for prosecution. Therefore, my bootable Windows PE is on automount to get the relevant IOC as fast as possible. Simply do not want to waste time playing around with diskpart.

 

my 2 cent for this,

Robin

ReplyQuote
Posted : 06/08/2020 10:06 am
Page 1 / 2
Share: