Notifications
Clear all

Windows Server 2008

6 Posts
5 Users
0 Reactions
1,167 Views
CopyRight
(@copyright)
Estimable Member
Joined: 13 years ago
Posts: 184
Topic starter  

So this time its a compromised windows server 2008 with XSS, as a forensic incident handler, the best practice is to image the server (or part of it - specific logs) using imaging software or hardware.

What imaging software would you guys recomment in this example? FTK lite?..

Anything thats compatible with windows server 2008.


   
Quote
Novunix
(@novunix)
Eminent Member
Joined: 16 years ago
Posts: 35
 

FTK lite will do the job, as would Raptor, NBCaine or EnCase portable )

It does depend on whether you have to do it "live" or you can turn the server off.

If it can go off (best practice) then imaging software will work regardless of the filesystem in use.

If you are Windows dependent then FTK lite or EnCase Forensic Imager would be my choices.


   
ReplyQuote
(@Anonymous 6593)
Guest
Joined: 17 years ago
Posts: 1158
 

If it can go off (best practice) then imaging software will work regardless of the filesystem in use.

File systems aren't everything. Servers do not infrequently have RAID set ups … and the margin between imaging those one disk at a time, and reconstructing the RAID later, and imaging 'through' the RAID may not be significant when it comes to 'best practice' considerations.


   
ReplyQuote
(@lpforensic)
Active Member
Joined: 13 years ago
Posts: 18
 

So this time its a compromised windows server 2008 with XSS, as a forensic incident handler, the best practice is to image the server (or part of it - specific logs) using imaging software or hardware.

What imaging software would you guys recomment in this example? FTK lite?..

Anything thats compatible with windows server 2008.

FTK imager, and if IT is Not late try to dump ram


   
ReplyQuote
CopyRight
(@copyright)
Estimable Member
Joined: 13 years ago
Posts: 184
Topic starter  

Great guys, so the server won't be shut off it will have to be done on a live enviourment , so FTK lite would do the job, interested atrifacts in this case event logs … and …. (anyone?)


   
ReplyQuote
Adam10541
(@adam10541)
Honorable Member
Joined: 13 years ago
Posts: 550
 

File systems aren't everything. Servers do not infrequently have RAID set ups … and the margin between imaging those one disk at a time, and reconstructing the RAID later, and imaging 'through' the RAID may not be significant when it comes to 'best practice' considerations.

My experience has been the opposite. Servers mostly RAID setup with some exotic virtualised environments. Rebuilding a RAID from disc images is not trivial and even when all attributes are known is still not a guarantee of success.


   
ReplyQuote
Share: