Forums
Main Category
General (Technical,...
RAID LIVE imaging
 
Notifications
Clear all

RAID LIVE imaging

 
Page 1 / 2
General (Technical, Procedural, Software, Hardware etc.)
Last Post by mrpumba 12 years ago
17 Posts
8 Users
0 Reactions
1,238 Views
RSS
CopyRight
 CopyRight
(@copyright)
Estimable Member
Joined: 13 years ago
Posts: 184
Topic starter 31/03/2013 1:07 pm  

Here are 2 sceniaros,

Scenario 1 An incident occured and an entire imaging process is needed to be applied on a live "Windows" sever without the move of restarting or switching off the windows. - The target would be a massive capacity hard-drive which will be connected to the server

Scenario 2 An incident occured and an entire RAID imaging process is needed to be applied on a live "Linux" sever without the move of restarting or switching off the windows. - The target would be a massive capacity hard-drive which will be connected to the server

What software is to be used? or hardware..?

I know you can use live CD's to do imagine then import them into FTK, but in this case the servers are not to be switched off.

Thanks,


   
Quote
 Patrick4n6
(@patrick4n6)
Honorable Member
Joined: 16 years ago
Posts: 650
31/03/2013 1:47 pm  

I've done scenario 1 using FTK imager.

EDIT FTK Imager Lite on a USB attached hard drive. I should have been clearer.


   
ReplyQuote
CopyRight
 CopyRight
(@copyright)
Estimable Member
Joined: 13 years ago
Posts: 184
Topic starter 31/03/2013 3:26 pm  

Great work, so a question regarding scenario one, you've got a document that will tell you all the important logs and thier locationson all windows versions? like a list of locations of all logs in all versions of windows?

Anyone shares his/her experiencein scenario 2?

Thanks again .


   
ReplyQuote
 mscotgrove
(@mscotgrove)
Prominent Member
Joined: 17 years ago
Posts: 940
31/03/2013 6:42 pm  

DD could be a starting point


   
ReplyQuote
 BitHead
(@bithead)
Noble Member
Joined: 20 years ago
Posts: 1206
31/03/2013 9:11 pm  

I have done both. F-Response on either scenario then use your tool of choice on your capture/exam machine.


   
ReplyQuote
EricZimmerman
 EricZimmerman
(@ericzimmerman)
Estimable Member
Joined: 13 years ago
Posts: 222
01/04/2013 9:07 pm  

another vote for F-Response. it just works


   
ReplyQuote
JonN
 JonN
(@jonn)
Trusted Member
Joined: 20 years ago
Posts: 73
01/04/2013 10:58 pm  

EnCase v7.06 Direct Network Connection?

You can create servlets for Windows (32 and 64 bit), Mac OS's, Linux and more.


   
ReplyQuote
CopyRight
 CopyRight
(@copyright)
Estimable Member
Joined: 13 years ago
Posts: 184
Topic starter 02/04/2013 10:51 am  

Those who've used FTK, i agree its simple and just does the job, but in linux its a little bit different specially when i want live acquisition.

So those who voted for F-Response and Encase perhaps a little bit of how-to-do's?..

Cheers.


   
ReplyQuote
JonN
 JonN
(@jonn)
Trusted Member
Joined: 20 years ago
Posts: 73
02/04/2013 2:55 pm  

EnCase - create servlet on examiner machine, install/run it on target machine(s), use 'Add Network Preview' function in EnCase to connect to target machine - then browse file systems, acquire data etc as per normal.

Evidence Processor has a Snapshot function that can be used to collect volatile data such as open ports, network connections, open files, logged on users, etc etc


   
ReplyQuote
EricZimmerman
 EricZimmerman
(@ericzimmerman)
Estimable Member
Joined: 13 years ago
Posts: 222
02/04/2013 6:51 pm  

easiest way to see f-response in action is to watch the videos on their site, f-response.com


   
ReplyQuote
Page 1 / 2
Forum Jump:
  Previous Topic
Next Topic  
Share: