Join Us!

Network Share Drive...
 
Notifications
Clear all

Network Share Drives  

  RSS
hunterw
(@hunterw)
New Member

First time poster. There might not be a good answer but I need to pick everyone's brain anyway )

I am currently in the process of setting up a forensic incident response team.

I have been researching this particular issue quite a bit and it has been driving me crazy given the lack of tools that I have right now and the fact that I still need to meet with the server team so bear with me.

A lot of the data that I need to acquire is the network share drive that each employee has. Soon I am going to propose better solutions for retrieving that data on the network shares (i.e. EnCase Enterprise Mobile, Pro Discover, Helix, etc. . .) but temporarily is there a better way (they have been using robocopy) to retrieve that data so I can analyze it? I can easily get access to the shares if I need to but as far as I know you can not acquire a share with EnCase.

So if you have any other suggestions that might be a temporary solution until I am able to get some better tools and meet with the server team let me know. idea

Thanks.

Quote
Posted : 19/07/2006 9:45 pm
keydet89
(@keydet89)
Community Legend

What data are you trying to collect? Are you trying to see what shares the user is connected to? If so, do you simply want the path, or are you interested in collecting the contents of the share itself?

Remember, user's shares are really just directories on a server someplace, so what it sounds like you want to do is image the directory…is this correct? If so, I guess the next question would be "why?" What purpose would this serve?

Thanks,

Harlan

ReplyQuote
Posted : 20/07/2006 12:26 am
echo6
(@echo6)
Member

I can easily get access to the shares if I need to but as far as I know you can not acquire a share with EnCase.

You could use the single files function within EnCase, then simply drag and drop your files off the share into your case. You won't be able to add deleted files or data from unallocated. You can then create a logical evidence file and add the files you are intersted in. You are going to change the last accessed date for each file when you do this though and you are only going to get the logical data.

Have you considered using FTK Imager? This is available free from http//www.accessdata.com/support/downloads/ You can acquire a physical device, logical drive, or files from a folder. Again if you acquire files from a folder you are not going to be able to acquire deleted files, or file meta data.

ReplyQuote
Posted : 20/07/2006 2:48 am
BraneRift
(@branerift)
Member

I have to just bascially repeat what Harlan said. Wouldn't be easier just to find the server where the shares are located and examine the folder you want using more traditional means?

ReplyQuote
Posted : 22/07/2006 2:22 am
hunterw
(@hunterw)
New Member

Thanks for the replies and sorry for the delay in responding.

The main purpose for this would be more along the lines of e-discovery. It is not practical for me to image the entire SAN just to collect files from a user folder. Also all of the storage is in a remote location so I do not have physical access either.

My current methodology is using robocopy to collect the files in question then using EnCase to create logical evidence files. I am not fond of this technique because my mindset for the past two years was law enforcement and I would never collect evidence that way but now I am in a corporate environment and the same standards don't really apply but I would like be as precise as possible to avoid spoliation.

So any other suggestions you may have would be great. Right now I am looking into $$$EnCase Enterprise Mid-Grade$$$ or ProDiscover IR.

Thanks again for any more feedback and I will try to be timelier on my responses.

ReplyQuote
Posted : 05/08/2006 1:22 am
keydet89
(@keydet89)
Community Legend

> My current methodology is using robocopy to collect the files in question
> then using EnCase to create logical evidence files.

Wait…let me see if I understand this. You're reaching out remotely to this system and using robocopy to copy files, and then you're using EnCase to make .E01 files of the files you just copied?

That makes no sense whatsoever. What is the purpose of using EnCase after you use robocopy?

Harlan

ReplyQuote
Posted : 05/08/2006 1:42 am
hunterw
(@hunterw)
New Member

> My current methodology is using robocopy to collect the files in question
> then using EnCase to create logical evidence files.

Wait…let me see if I understand this. You're reaching out remotely to this system and using robocopy to copy files, and then you're using EnCase to make .E01 files of the files you just copied?

That makes no sense whatsoever. What is the purpose of using EnCase after you use robocopy?

Harlan

I am using EnCase to create .L01 files. The purpose of this is preservation, hashing, and any analysis that I might need to carry out on the files collected.

ReplyQuote
Posted : 05/08/2006 2:02 am
keydet89
(@keydet89)
Community Legend

Okay, I see what you're doing, but it still doesn't make sense…you're using a sledgehammer to break an egg.

Out of curiosity, would you be willling to share your reasoning for going this route? After all, you've already used robocopy to get copies of the files. At that point, if I were you, I'd write all of the files to a CD, along with their hash values. You've got preservation, and the guarantee that you won't alter anything.

It's just that from what you've presented, the use of EnCase in this situation is overkill and really serves no purpose.

ReplyQuote
Posted : 05/08/2006 3:06 am
hunterw
(@hunterw)
New Member

Okay, I see what you're doing, but it still doesn't make sense…you're using a sledgehammer to break an egg.

Out of curiosity, would you be willling to share your reasoning for going this route? After all, you've already used robocopy to get copies of the files. At that point, if I were you, I'd write all of the files to a CD, along with their hash values. You've got preservation, and the guarantee that you won't alter anything.

It's just that from what you've presented, the use of EnCase in this situation is overkill and really serves no purpose.

Trust me I agree that this process is not anything that I am used to which is why I started the post to begin with. The traditional means that I would normally use is EnCase FIM, Helix, or dd with cryptcat. But unfortunately these means are not available to me right now but I hope they will be in the future. So I am stuck with this current method for the time being but looking to improve it and thus would like some ideas.

Robocopy is my method for collecting the files and you are right I could just burn the files to a cd and hash them for preservation which now that you mention it I will probably start doing that anyway. EnCase comes into the fold because I can have preservation but at the same time I have the capability to analyze the data if it is required i.e. using scripts, keyword searches, filtering capabilities, and last but not least reporting. I am told that this is one of the uses for the logical evidence files in EnCase and it is used for this type of collection.

So I have the capability to analyze that data. I am looking at alternatives for the collection of the files. Remember I do not have physical access to the SAN and I might only need one user or group folder on the SAN that might have 40gigs of data. Robocopy will work but I would like to look for something more secure. I have looked into EnCase Enterprise but it will not fit in my budget. My other alternative is TechPathways ProDiscover IR. Have you or anyone ever tried this product? Any feedback on this product would be great or similar alternatives. Thanks.

ReplyQuote
Posted : 07/08/2006 9:26 pm
Share: