Hello,
We have a late-night requirement to copy files from a suspect PC in an office. Without going into too many details we only have a small window of time, and we can't switch the machine off (unless deemed absolutely necessary)
Are there any tools that you'd recommend to pull off only the file types that we wanted? We definately want the .pst files, and probably .dat files, plus docs, jpgs, xls files as well.
I was looking at Photorec, running from a USB drive. I understand this can pull back deleted files as well.
Normally we'd just image the whole hard drive, but as we only have a limited amount of time, this isn't possible. I know the PC contains a 1TB disc, and even with a handheld forensic imager, this will still take 4+ hours.
If we have to remove the drive, we'd still like to only acquire those file types listed above. We'll probably stage a power-cut in this instance, but would prefer the PC user not to suspect anything.
Does anyone have a recommendation for targeting specific file-types, rather than imaging the whole disc?
Many thanks,
Mark
POINT 1
we can't switch the machine off (unless deemed absolutely necessary)
POINT 2
We'll probably stage a power-cut in this instance,
markl1975, sorry to appear pedantic, but what you propose that you want to avoid in point 1 you may actually achieve the opposite by point 2.
Also if you have no power will you be bringing your own?
trewmte,
The PC user leaves his machine on overnight. We know that he sometimes leaves it compressing DVD Vob files to .avi files.
I guess this is a covert collection of specific files from a live machine. If we have to switch his machine off, the company will say the power tripped in this section of the building the next day. This should avoid suspicion when the guy comes in and realises his PC is off when he left it on the previous night.
We'd like to do a live acquisition, but if it would be quicker to power the PC off, remove the hard drive and copy files that way, then we will.
What I'd really like to know are suggestions for rapid acquisition of the known file types in a short amount of time. The CEO of the company would like us in after the last people leave, and out before the cleaners come in the morning, hence the small window of opportunity.
This is the first time we've been asked to do a job like this with a limited time-frame. We would usually image the full drive and take this back to our office for analysis.
Any pointers would be much appreciated,
Mark
F-response and do a network acquisition? This way you'll have your full image and no need to shut down the PC. Plus you could set up in another room away from the rest of the office.
Mark I hope you don't think I was being cheeky by raising the observation about power issue.
I was going to suggest have you spoken with Nick Ferneaux from CSItech
http//
Telephone – 0845 3884697
f-response is another option, which ddewildt has already suggested to you.
I'll get in touch with Nick. I think we've spoken with him before, but not me personally.
The only problem with f-response is that the machine is no longer networked. The guy has a separate networked PC at his desk. The CEO suspects this guy is up to no good on his machine, copying company documents to USB, etc… He's quite IT knowledgeable too.
It used to be networked, which is why we want to see if there are any left over .pst files. If they've been deleted then they're probably unrecoverable by now, but it's worth a try.
We haven't asked the CEO too many questions. He's just asked us to look at this machine and pull off what we can. I reckon we can get most of it using Photorec on a USB stick, unless there are any better tools (non-network) anyone knows of.
I'll give CSItech a call too, and see what Nick suggests.
Mark
Mark - check your PM box
No network makes it a bit of a b****r…
Another option would be to use FTK Imager from a USB stick and create an AD1 logical image file of just the files/folders you want. I guess the only disadvantage to this would be that you would need to know where the files are in order to mark them for addition to the AD1 - as you can't sort by extension or do searches in Imager.
Maybe you could use this in conjunction with Photorec? So for example you can use Imager to get the common areas that you might want to look at (Doc and Settings, Windows Folder etc) and then use photorec for some of the other things you want. Having never used photorec I'm not sure if this duplicates a lot of the activity, but just trying to think of some other avenues for you.
HTH
Greetings,
There are a lot of tools that will collect by filetype or signature.
1) EnCase Portable will do a custom collection based on configuration.
2) PinPointlabs SafeCopy2 will run from a USB and collect files by type. (It does NOT work on signatures, which is why #3 is included in this list.) (http//
3) MicroForensics Titan Collector will run from a USB or external drive and collect files from the target based on date, type, owner, hash, or file signature. (http//
-David
Does anyone have a recommendation for targeting specific file-types, rather than imaging the whole disc?
If you have access to the system, plug in a USB removable storage device, open up a command prompt, and run a batch file.
If you don't have physical access to the system, fire F-Response at it, and then run your batch file against the mounted drive. Heck, you don't even really need F-Response…just map the root drive.