Hi all,
I am new to this site but I have a number of years experience in Forensics. In my organization we had the ability to seize physical servers and bring them back to our lab. This unfortunately is not possible anymore due to some legal changes.
So I am looking for peoples views on forensic products which would enable me to enter a premises which has a number for servers and PC’s and acquire specific data in a forensic manner. I am aware of a number of products that can do this but I am trying to gage the views of my fellow professionals in the field rather than listing to the manufactures of these products. Any advice would be really beneficial to me.
Thanks
Kaly
From Ireland.
What do you mean by "…in a forensic manner"?
There are a number of ways for acquiring data. For example, for Windows servers, many times I will attach a USB "wallet" drive and perform a live acquisition using FTK Imager running from either the wallet drive or from a CD.
There's also F-Response EE, which supports a number of operating systems.
I've also used native dd on a *nix system to image a drive an NSF mount.
I've also used similar means to collect only specific data. In other cases, I've copied VMWare directories (as opposed to booting the VMWare disk and imaging it live).
All of this is done with proper documentation. IMHO, that's what makes it done in a "forensic manner".
HTH
I've had a lot of success with forensic linux boot disks. The only down side of linux is the relatively limited driver support when you come up against certain hardware. You really want to pick one that updates its driver support often.
Basically, walk out with your boot disks and a collection of large hard drives in good quality USB/Firewire/eSata enclosures. I personally use the Antec MX-1 enclosures for on-site.
You'll also want a backup solution for when your boot disk doesn't work. I have some small form factor PCs for this purpose. Pull the drives onsite, image with your own hardware, good to go.
I know that many people tend to prefer hardware acquisition solutions such as those from Logicube, but I've never had a system that I couldn't get with my current solutions.
Kaly,
I'll keep the sales pitch to a minimum, however F-Response (EE/CE/FK) should meet your needs at a variety of price points.
Send me a PM and I'll gladly set you up with a 30 minute live demonstration via GoToMeeting.
Thanks.
Warmest Regards,
Noting my limited experiance…
I would use Helix.
A Helix CD in two computers, one the target server and the other your image destination system. This way you could image the live system over the net work. Well thats what I would do, or try to do anyway.
good luck
Guys
Thanks for all the responses, I have carried out a lot of research and I think I need to test a number of products, I will post back later when I have come to a conclusion.
M Shannon I have sent you a PM..
Thanks Guys
kaly
What do you mean by "…in a forensic manner"?
HTH
Why do you torment people?
lol
If it is a server and it cannot be shut down then you can either use Helix or FTK imager and do a live acquisition. The best method is to shut down the server and/or workstation and use Helix to boot and then image to a USB drive. If you are doing a workstation, then you can also connect a hard drive internally as well to increase speeds. The only problem that I've encountered when imaging a server to a USB drive is when the USB standard is 1.0, so in some cases I've connected a hard drive internally when possible to increase the speed and shorten the time a server has to be down for.
You have to be aware that Helix will not work on every single server and computer you will run across. When we go out to a site, we bring at least three different bootable CDs that we have access to. One is a bootable copy of XP that we use and another is called Raptor.
Hope this helps.
Almost any tool you use in your lab should be available to you for onsite acquisitions whether they are boot disks, Logicube/HardCopy devices or other items. Typically, if the owner of the computer won't let you take the machines with them, they probably don't want them shut down either. Therefore, you will want to stock up on USB portable hard drives to plug into the servers to receive the data.
Guys
thanks for the additional replys,
I have used Helix before for some disaster recovery, And it is very good,
But I really wanted to get a feel for what people were using. I have used FTK and encase a lot but have always found the software a bit unreliable lots of crashes etc.etc.etc. So trying to use these products onsite in a stressful enviroment was a No No for me, But now I must find a solution to acquire onsite due to some legal issues.
I will try a number of products and will post my results coupled with my requirments so other can use in the future.
Thanks
K