Physical Imaging Ov...
 
Notifications
Clear all

Physical Imaging Over WiFi

16 Posts
8 Users
0 Likes
687 Views
markl1975
(@markl1975)
Posts: 63
Trusted Member
Topic starter
 

Hello,

Does anyone know if it is possible to get a physical image of a device over WiFi, or do you actually need a physical connection to the device to access the raw data?

The reason I'm asking is that we've been asked to look at the range of WiFi card readers and hard drives on the market, and to see if we can image a device plugged into one.

I'm not sure it's possible. We've had success carrying out a logical copy of data on the WiFi devices, but so far haven't been able to carry out a physical image.

I'm using command-line dc3dd to mount and image the devices for imaging.

Thanks for your help,

Mark

 
Posted : 23/12/2015 3:43 pm
athulin
(@athulin)
Posts: 1143
Noble Member
 

Does anyone know if it is possible to get a physical image of a device over WiFi, or do you actually need a physical connection to the device to access the raw data?

That would depend on what kind of software that acts as the connection between the network and the disk, wouldn't it?

I mean, consider iSCSI. It doesn't care what kind of physical network you're connecting over, as long as you have a TCP connection. If you're using ATA-over-IP … well, the name says what you can expect.

The reason I'm asking is that we've been asked to look at the range of WiFi card readers and hard drives on the market, and to see if we can image a device plugged into one.

That sounds more like a question of what these units actually support. You have to read the documentation or talk to the manufacturer for that. Or, perhaps also, what platform and device drivers you're using.

If all the units offer is SAMBA/CIFS, for example, then that's what you get.

 
Posted : 23/12/2015 4:51 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I'm not sure it's possible.

I also think it is not possible unless the device has been explicitly and intentionally provided with the feature by the manufacturer or is modified to have it.
As I see it the device needs to run - simple or minimal as it might be - an OS of some kind, capable of connecting through a network protocol to other devices on the Wi-Fi, and this would most probably be a firmware, possibly flashable.
But the base functions of this hypothetical mini-OS would only be those of - at boot - expose the device to the WiFi connection and there would be no real reason to expose the PhysicalDrive, it will be needed to modify the firmware (if possible) to use the "mini-OS" to access the data.

Only seemingly OT, a few years ago it was quite common a network disk by LaCie that ran a Linux that could be modified to have different or (more) functions
http//www.rigacci.org/wiki/doku.php/doc/appunti/hardware/lacie_d2_network

Loosely, the thingy is to all effects like a "router" running its own OS, just like you can flash *whatever* on a router, you can flash to the wi-fi hard disk or card reader, point is whether an alternate firmware for the thingy exists or you will have to write your own or modify the existing one.

So you should IMHO go "backwards", find models for which alternate firmwares exist, and see if they provide this functionality or if however the method to workaround the (typically implemented by the manufacturer) authentication methods for the firmware have been published.

jaclaz

 
Posted : 23/12/2015 5:12 pm
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

I'm not sure it's possible.

Mobile Edit Forensic can do it.

 
Posted : 23/12/2015 8:08 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I'm not sure it's possible.

Mobile Edit Forensic can do it.

For *any* Wi-Fi connected storage device? 😯
Could you post some details on how this is achieved? ?

jaclaz

 
Posted : 23/12/2015 8:55 pm
mscotgrove
(@mscotgrove)
Posts: 934
Prominent Member
 

I would not expect a problem with WiFi, except for speed.

 
Posted : 23/12/2015 9:08 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I would not expect a problem with WiFi, except for speed.

As well, do you care to explain how to access the RAW device through Wi-Fi?

jaclaz

 
Posted : 23/12/2015 9:16 pm
markl1975
(@markl1975)
Posts: 63
Trusted Member
Topic starter
 

I second Jaclaz… how do you access the RAW device over WiFi?

 
Posted : 23/12/2015 11:10 pm
KungFuAction
(@kungfuaction)
Posts: 109
Estimable Member
 

Connect via internal network and/or VPN using remote control software. Run the imager on the remote (source) computer, with the image destination being a local (target) IP-mounted drive via an old LAN Manager command, such as "net use k \\192.168.0.11\c$"

 
Posted : 22/01/2016 1:49 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Connect via internal network and/or VPN using remote control software. Run the imager on the remote (source) computer, with the image destination being a local (target) IP-mounted drive via an old LAN Manager command, such as "net use k \\192.168.0.11\c$"

Well, this assumes a "subset" of devices, namely a device that runs an OS (or firmware) and that is accessible through a remote control software of some kind, besides having access to a network drive.

jaclaz

 
Posted : 23/01/2016 12:45 pm
Skulkin
(@skulkin)
Posts: 38
Eminent Member
 

To jaclaz

Igor mean, that MOBILEdit! is able to acquire mobile devices via Wi-Fi, such as iOS and Android. It uses Connectors for this.

You can read more about it here

http//www.mobiledit.com/guide.htm?CHAPTER=06.03

 
Posted : 24/01/2016 1:13 am
athulin
(@athulin)
Posts: 1143
Noble Member
 

Igor mean, that MOBILEdit! is able to acquire mobile devices via Wi-Fi, such as iOS and Android. It uses Connectors for this.

Note, though, that that is an answer to a different question than the one the OP asked

The reason I'm asking is that we've been asked to look at the range of WiFi card readers and hard drives on the market, and to see if we can image a device plugged into one.

WiFi Card readers and hard drives … sounds a bit like the WD Passport WiFi, for example. However, as that does have an USB connection, which I assume could also be used for acquistion, I'm not sure it qualifies. There's also a Panther USB hub with built-in card reader, but again the USB connection would probably do for acquisition.

My guess is that these thingies have some kind of CIFS built into the WiFi part, allowing file-server-type acquiry, but not getting at unallocated device space, and not giving the actual file system metadata, but only that CIFS presents to the world. OK, if you can't get at it in any other way, but not really what the discerning DFA wants. Access over USB is more likely to give access to the raw media.

But there's no real point in guessing.

 
Posted : 24/01/2016 1:05 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

To jaclaz

Igor mean, that MOBILEdit! is able to acquire mobile devices via Wi-Fi, such as iOS and Android. It uses Connectors for this.

You can read more about it here

http//www.mobiledit.com/guide.htm?CHAPTER=06.03

Well, try re-reading the OP question attentively, and then please confirm that MOBILEdit! does represent an answer to that question (and not to another one).

jaclaz

 
Posted : 24/01/2016 7:48 pm
Skulkin
(@skulkin)
Posts: 38
Eminent Member
 

Em, I just explained, why Igor told you so about MOBILedit! Forensic. And I know, that it's not the answer to the OP question.

 
Posted : 24/01/2016 9:51 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Em, I just explained, why Igor told you so about MOBILedit! Forensic. And I know, that it's not the answer to the OP question.

Which is good ) BUT I already (previously and without your intervention) perfectly understood Igor's reply and already pointed out how that would be only a partial answer valid only for a given "subset of devices".

jaclaz

 
Posted : 24/01/2016 10:35 pm
Page 1 / 2
Share:
Share to...