Server Acquisitions...
 
Notifications
Clear all

Server Acquisitions - software?

7 Posts
5 Users
0 Reactions
556 Views
(@research1)
Estimable Member
Joined: 17 years ago
Posts: 165
Topic starter  

I know this is a very generic question, subject to server type, storage set-up etc - but generally, what solutions (software/hardware) set-ups do you people use for server acquisitions? This question applies to servers which can be turned off, and those which cannot.

I am not interested in RAM at this stage.

I am looking into F-Response, any bad points to this software? I want more than 1 solution. If you know of the 'rough' price, that would be useful also. I would prefer reviews based on personal experience, rather than hearsay.

Many Thanks,


   
Quote
(@thepm)
Reputable Member
Joined: 17 years ago
Posts: 254
 

For servers that can be turned off, we use ForensicSoft SAFE boot CD. It allows you to use your standard Windows acquisition tools (FTK Imager, Encase, etc.) and since it runs in a WinPE-like environment, you can load any Vista compatible device drivers for RAID controllers, Fiber Channel cards, etc. Very useful.

For servers that can't be turned off, we use FTK Imager Lite.


   
ReplyQuote
(@thepm)
Reputable Member
Joined: 17 years ago
Posts: 254
 

Also, for servers that can't beturned off, you can use FTK 3's Remote Data Acquisition feature. Through the network, you remotely install an agent on the server which allows you to mount and acquire the server drives from your FTK workstation or laptop.

However, when performing live forensics on a server, you should always stop the services which are accessing data files (e.g. Exchange) because you might encounter some strange situations.


   
ReplyQuote
(@research1)
Estimable Member
Joined: 17 years ago
Posts: 165
Topic starter  

Hitman, thanks for your reply.

Am I right in saying FTK remote, and Lite, are not forensically sound?


   
ReplyQuote
(@seanmcl)
Honorable Member
Joined: 19 years ago
Posts: 700
 

To add to the suggestions, above, in dead-box acqusitions where we have concerns about proprietary hardware support of the various Linux-based distros, we have used WinFE with great results. In fact, we include this in our list of possible methods when we write up a discovery request.

And I cannot say enough good things about F-Response which keeps getting better and better. We recently completing imaging of an enterprise network (consisting of Linux and Windows based servers and workstations, Suns and Macs), located in Eastern Europe and without ever leaving our offices in the US. This saved our client thousands of dollars in travel and hourly rates had we needed to put someone on-site.


   
ReplyQuote
(@bithead)
Noble Member
Joined: 20 years ago
Posts: 1206
 

Hitman, thanks for your reply.

Am I right in saying FTK remote, and Lite, are not forensically sound?

What is "forensically sound"?

Are you asking if running software on the target machine will change anything? If keeping the target machine running will change anything? Either of those things and many more will impact a running system (of course so will shutting it off). Does that mean the process or software is not forensically sound? No.

If your definition of forensically sound is capturing an image from a target and having the hash match the original, then you will have to stick with dead systems. Any type of live analysis results in a constant change. Memory changes as the system runs and as the capture process happens, disk activity happens and changes that happen during a capture are quite likely to be missed. Does that mean the process is not forensically sound? For me I can document my process and show that even though there is change what I am doing is sound.

And back to your original question, I like F-Response and the people there are quite responsive.


   
ReplyQuote
(@dougee)
New Member
Joined: 21 years ago
Posts: 4
 

I would also recommend F-Response in this situation, we use it all the time for getting to remote machines across the network and capture either the full disk images, logical volumes and folders. The boot CD is also good as it saves having to remove hard drives from notebook computers

What I like is the fact that we are not stuck with one forensic tool and can use different tools if one works better than the other. We use EnCase, FTK Imager and the cmd line tools, it just gives us flexibility.

Also I cannot speak too highly of the support that the guys at F-Response give you as well.


   
ReplyQuote
Share: