When you perform a HDD image acquisition, what sort of setup do you find you use most often? For example, do you find it easier to remove the suspect HDD and plug it into forensic workstation or do you often use an IDE to USB/Firewire cable? Do you leave the HDD in place, hook up a USB external, do a Helix boot and image to the external drive?
Hey OldDawg…
It depends on your situation and the media you are trying to acquire. Myself being in a Corporate environment with 72% Windows, I find myself doing a lot of acquisitions over the network using the Helix CD with smbmount command to map a drive then I’ll use the Encase Linen utility with 2GB image files. I like to upload the images to a “secured†storage medium. In other cases, I’ll pull the drive from a terminated employee, image it, and then store it in a safe.
Not sure if anyone has any benchmarks on USB/ Firewire vs. Networks acquisitions?
Servers are another story.
Hope this help, or at least gets the thread moving D
Chris
To add another question If acquiring over the network, are you concerned about encrypting the transmission?
OldDawg….we do all three mentioned above, according to the environment we are working in. I'm also in a corporate environment, so much of the time I use EnCase Enterprise to suck it down over the network (psu89 - EE encrypts the traffic). If it is a drive from a termed employee we will get the PC in and remove the drive, hook it to a Fastbloc FE and acquire it that way. If for some strange reason we have to go into the field, I will either boot the PC to a Linen util and grab it via a cross over cable to either netcat or EnCase, or leave the drive where it is and set the fasbloc in the case with the PC. I haven't had to do this since getting EE.
Chague….to many network varibles to get a good reading on USB/Firewire vs. network. Much of our network varies from 256k DSL all the way to gig Eth. I will say that it is much easier to acquire a server with a network client….I don't have raid capable write protection, and rebuilding a raid array in EnCase is not any fun. With EE, as long as the agent is there, it is a snap.
That’s a good question about the trustworthiness of the transport. Again, it depends on the network. In my case, I am intimately familiar with “My†network, since I do have the duty of securing it ;-). I’ve used crypt cat, the encrypted version of netcat with some luck. Also, to clarify things, most network acquisitions that I’ve been performing are done over gig Ethernet. Anything that involves “remotes†I.e. over a frame-relay connection, I will do onsite with a x-over cable as you described.
Maybe some benchmarks on 10/100/1000 switched networks and benchmarks on USB/ Firewire.
I’m looking at EE over then next few months, which will hopefully simplify the process
Chague….great comments, I also have used crypt cat to acquire with great success.
I have had a fair amount of success with EE and acquiring from remotes down to about 512k. The other varible you run into with EE is the remote machine and where you do compression at. If you have a decent processor on the remote PC, you can run compression pretty high, which brings down the amount of network traffic you have to pull. If the machine on the other end is not decent…you will kill it trying to do compression. Also, creating logical evidence files greatly reduces the amount of traffic to come across.
Seems like I saw some numbers the other day for USBv2 vs. firewire 800….would be interesting to compare these to a gig network acquire.
When you perform a HDD image acquisition, what sort of setup do you find you use most often? For example, do you find it easier to remove the suspect HDD and plug it into forensic workstation or do you often use an IDE to USB/Firewire cable? Do you leave the HDD in place, hook up a USB external, do a Helix boot and image to the external drive?
I really just depends on the situation and what equipment I have available. Typically I remove the suspect HD, take pics of it for court purposes, get the information off the label ( alot of nonsense, but the courts like it), and finally hooking it up to either an IDE write block, Firewire block (or something similar) and using either EnCase or FTK imager to aquire the drive.
I am sure others have their own way they do it…
> …get the information off the label ( alot of nonsense, but the courts like it),
Nonsense, eh? Sounds like a retraining issue.
Not only do I mark the information on my acquistion worksheet, noting the serial number and manufacturer of the drive, but I also use an indelible ink marker to put my initials and date on the drive. Know why? It's easy for someone to grab another similar drive and ask me, "Is this the drive you imaged?" There is no way I'm going to be able to memorize the serial number, so with my "mark", I can say yes.
There's a reason we do the things we do…in many cases, to protect us, our client, and the accused. If it's "nonsense" then perhaps we shouldn't be doing it…otherwise, it gets done and done right, every time.
As you said most common, here goes…
We remove the drive from the host pc and label it immediatly. On the label we write the exhibit number. If the drive is part of a raid or one of many in the host pc, we note down which cable it was connected to.
At this stage we record the following details from the HDD -
Make
Serial No
Model
Size
CHS
LBA
Manufactured Date
The hard disk is then connected via a write blocking device to one of our acquisition machines. We then use FTK imager to obtain the forensic image. The acquisition start time is noted as well as a description of what we have had to do, including where we have had to move jumpers.
The host pc is switched on while its HDD(s) are being acquired and all of the BIOS details are recorded, including date, time, boot order, ram etc. The host pc is then switched off and all devices installed recorded such as network card, modem, CDROM etc. The examiners name is also recorded on the same form, which is part 1 of 2. Part 2 is the form where we record the HDD information.
We then record the Storage location of the image, image file name which matches the exhibit name, plus sub exhibit number where appropriate. Upon completion of the acquistion, we note whether there have been any errors and whether the verification hash is correct.
If the acquisition has verified without errors we put the hdd's back into the host pc and return it to a secure store. At no point in time is the host pc switched on with the hard disks attached.
With all of the above in mind, we know exactly what was imaged, who imaged it, whether a good acquisition was obtained but most importantly we have accountability.
I have never been asked in court for the details of a drive we have imaged, but I know for a fact the defence experts have checked these details to ensure the evidence I have found is on their suspects hard disk drive and not someone elses….
This is our most common method of acquisition.
> …get the information off the label ( alot of nonsense, but the courts like it),
Nonsense, eh? Sounds like a retraining issue.
Not only do I mark the information on my acquistion worksheet, noting the serial number and manufacturer of the drive, but I also use an indelible ink marker to put my initials and date on the drive. Know why? It's easy for someone to grab another similar drive and ask me, "Is this the drive you imaged?" There is no way I'm going to be able to memorize the serial number, so with my "mark", I can say yes.
There's a reason we do the things we do…in many cases, to protect us, our client, and the accused. If it's "nonsense" then perhaps we shouldn't be doing it…otherwise, it gets done and done right, every time.
Oh ya. I forgot. I do put my initials on the drive along with the property number and date/time. I wasn't saying I didn't know the reason for these things, it was sarcassm gone bad I guess if you took it wrong. You sure your aren't a supervisor somewhere? P Such seriousness in your tone of text. With me… deep breath in…. out. There.. much better. D