I am not a computer forensics expert, but I recently worked on a
case of serious misconduct by an employee which resulted in
their resignation.
Their machine was a desktop machine with a 750GB hard drive
and only about 50GB of it was used. It was a Windows Vista
machine.
I took the hard drive out of the machine as soon as I learned
about this employee and used a Linux box and dd to image the
drive onto a single gigantic file on a 1TB hard drive and saved
an md5 and sha1 hash of the drive. We don't have encase or
FTK or any commercial software.
I would like to investigate the hard drive further by using it.
I could just plug it into the machine and use it, and then afterwards,
put the saved dd image back onto the drive, but I don't want to
compromise the evidence hard drive in anyway.
I don't have any other 750GB hard drives handy, but plenty of
500GB and smaller drives.
Is there an easy way to take a 750GB image (of which only
50GB is actual data) and put it onto a 500GB hard drive in
such a way that the 500GB hard drive can be put into the
machine and will work?
Open source tools are strongly preferred.
Thanks for any help.
What exactly are you looking for or trying to prove?
this could help formulate a plan of action that didn't involve using the original drive.
If you copy out and copy back, you have altered the original drive, and more than likely compromised any chance of offering it up as potential evidence.
can we assume that as you're looking for opensource, that your budget won't extend to buying a spare large drive to copy the image over to ?
There are also devices that allow you to operate on a drive, running it, without any writeback. However, if you don't have a budget ….
kern
What exactly are you looking for or trying to prove?
this could help formulate a plan of action that didn't involve using the original drive.If you copy out and copy back, you have altered the original drive, and more than likely compromised any chance of offering it up as potential evidence.
can we assume that as you're looking for opensource, that your budget won't extend to buying a spare large drive to copy the image over to ?
There are also devices that allow you to operate on a drive, running it, without any writeback. However, if you don't have a budget ….
kern
The problem is that I don't what else this employee did. I've walked
around their files and everything, but it would be nice to be able to
just use their machine.
It's not in my budget to buy a spare drive and I can't buy a writeblocking
device.
Thank you.
i think i see where you are coming from.
I suppose you could try attach a couple of drives as a RAID if they support such and make up a 1gig drive from 2 500's. never done it myself so cant help further.
**or maybe compress the image using bz2 or gz, over to a smaller drive, and use the bigger one to play with. You should get a dramatic reduction if only 50GB was used.**
What else they did …..
images and documents emails etc - try Photorec from cgsecurity.org and run it against the copied image. You can check the menu system and select file extensions you may want to recover.
File / Access times etc grab Sleuthkit/Autopsy (see Live CD comment later) and run this on the image.
If you run the actual disk how can you be sure you aren't looking at your own footprints, as once you access a file (in Windows) you overwrite its attributes as well as possibly overwriting any residual background data from deleted files. You could then not offer this up as potential evidence. Remember, it's only evidence should a court/tribunal accept it as such.
Maybe the best "other" way to look around the disk, given that you are short of proper procedural alternatives, is to attach the imaged copy to a PC, and boot from a Live Forensic CD such as fccu 11.
If the guy has been fired, and you don't have much chance of further action anyways, and really you just want to snoop, be aware that you could also be held liable if you access the guys personal info and act upon it. Check your county/country LE guide to be certain who owns the data.
Whatever you do, be fully aware of the consequences for the company if you should fall foul of the law as it stands where you are.
hth
kern
Edited **afterthought.**
Moving away from the legal implications that there may be in examining a disk that may contain personal data as mentioned by kern - if you only take the used 50Gb, bear in mind that this measure is unlikely to include deleted files, file slack etc. so you would potentially be losing a great deal of data.
Having said this - If we can make the assumption that you want to see the way that the machine is laid out etc. Then how about carefully reconnecting the drive and booting from a Norton Ghost CD. This shouldn't modify the drive, and would allow you to extract the 50Gb "live" file set to another device to use to boot from …
If you were feeling energetic you could run a quick test on a smaller drive to ensure that no changes are made …
You could also try having a look at http//liveview.sourceforge.net/ which with some work will allow you to boot from the image itself - supposedly in a way that won't affect the original image - writing changes to a scratch file … ( Again, I'd test this if I were you … Blind trust isn't a great thing in Forensics … )
Hope it goes well -)
No need to buy another drive, just boot the image with
just to follow up azrael's suggestion, and chris's …
theres a couple of useful pointers re the use of liveview on Mr Carveys blog re mounting dd images.
http(colon)//
Thinking on, can't see as it would do much harm, even if you or it mess up, if you still have the original drive secured as the bona fide source.
Give it a go!
Do you have the guys login and password ?
I do have the ex-employee's login and password, at least
what they said their password was during the exit interview.
I wouldn't have any problems resetting their login password,
but may have difficulties with passwords on any websites
they may have used.
I guess using a web browser with the person's cookies may not
be such a good idea…
If you use liveview, it mentions somewhere that the network connections are disabled anyways. But no, it might not be a good idea.
any info you would need about browsing history or such would usually be stored on the PC anyways.You can view without altering.
with regard to passwords to websites, be careful. While it is possibly acceptable to audit the PC webcache or PC activity (the company did have an AUP in place didnt it ?…), using the PC and the persons passwords to access external sites will likely lead you foul of your state law.
It may be worth re assessing what you/the company want to do. If the problem is resolved by the guy leaving, then store the drive for an amount of time, as a "just in case he makes claims". If you feel he has done something to compromise the company and you need to follow up, then hire a pro.
the danger could be that if you find anything else and raise the alert he says … "you did what ! with my mail/facebook/ xyz account? im suing you" or where you say "well, we *think* he did this, but we screwed with the drive and now we don't have such good potential evidence … by the way, what _is_ 'chain of custody' "
Just a few suggestions.
kern