Imaging across a ne...
 
Notifications
Clear all

Imaging across a network

27 Posts
11 Users
0 Likes
3,660 Views
 Andy
(@andy)
Posts: 357
Reputable Member
Topic starter
 

Hi all, I wanted to start a discussion off relating 'imaging', and the use of EnCase. Does anyone image to a server across a network? and If so what tools do you use?

In the labs where I work, we image directly to a 3 terabyte network file server (Win2000), on a gigabit network. Its quite fast, almost as fast as imaging locally. We also investigate the acquired image across the network without any noticable lag. And because we use EnCase evidence files we do not consider integrity of the image to be an issue (no requirement to use a wiped hard drive to store it, etc).

Has anyone done the same using Linux or open source software, and if so what are your expereinces, techniques and methodologies?

Forgive me Jamie if I posted in the wrong part of the forum, I though it appropriate for it to go here 🙂

Andy

 
Posted : 21/08/2004 9:46 am
Jamie
(@jamie)
Posts: 1288
Moderator
 

I though it appropriate for it to go here

Oh, absolutely. I'm looking forward to hearing from some of our members with "real world" experience of open source forensics. To the best of your knowledge, Andy, are any UK police forces using open source solutions (instead of e.g. EnCase)? No need to mention any names.

Jamie

 
Posted : 21/08/2004 11:59 am
 Andy
(@andy)
Posts: 357
Reputable Member
Topic starter
 

On the pro side of open source stuff, it has one major advantage – it’s free, but what’s that saying “Linux is free only if your time is worthless”. Linux open source tools do take time to learn and get to grips with, especially if you come from a Windows background.

Let’s not forget about the granddaddy of forensic tools – Norton disk edit. Does anyone still use it?

 
Posted : 21/08/2004 1:31 pm
(@hitechpi)
Posts: 11
Active Member
 

Open source computer forensics………hmmmm. If you use it on a civil or criminal case will you be able to go to court, or survive a depostion? Even "in house" investigations can go to hearing or the court room. FREE open source forensics tools may not pass muster when there are professional grade, court qualified computer forensics tools that have already survived the court process, and are accepted.

 
Posted : 24/08/2004 1:50 am
Jamie
(@jamie)
Posts: 1288
Moderator
 

I have heard the use of the commercial tools as ‘point & click’ forensics, said in a scornful manner, but at the end of the day if it works and halves your time, then it must be cost effective, and over the course of a few months the amount of work you can accomplish with a commercial product will pay for itself.

Yes, agreed. I've heard the same disparaging remarks about "point & click" forensics. Where I do think criticism is valid is when (perhaps inevitably?) the use of commercial packages leads to the rise of a certain type of investigator who is proficient at going through the motions with little understanding of what's going on "behind the scenes". That's not a criticism of the software itself, of course, more a reflection of certain organisations' priorities, and in practice probably makes little difference most of the time. There are times, though, when a deeper understanding of what's really going on is the only way to progress in an investigation and I sometimes worry that that depth of knowledge is undervalued in certain types of organisations.

That said, I'm still in full agreement that the efficiency gains offered by commercial packages (not to mention their accepted status in the courts) provide a compelling case for their use.

Cheers,

Jamie

 
Posted : 24/08/2004 5:39 pm
Jamie
(@jamie)
Posts: 1288
Moderator
 

And before I forget, hitechpi…welcome to Forensic Focus!

Jamie

 
Posted : 24/08/2004 5:42 pm
 tusk
(@tusk)
Posts: 3
New Member
 

Open source computer forensics………hmmmm. If you use it on a civil or criminal case will you be able to go to court, or survive a depostion? Even "in house" investigations can go to hearing or the court room. FREE open source forensics tools may not pass muster when there are professional grade, court qualified computer forensics tools that have already survived the court process, and are accepted.

I think this is simplistic way to look at this software and reflects a generalised fear of OSS that is prevalent among some software consumers. Any tool may not pass muster when put to the test. Indeed, I have rejected many tools both open and closed source because they do not behave in a fashion consistent with a forensic investigation.

We must clearly differentiate between free as in beer software be it freeware, shareware or Beta software and free as in thought software which is where the Open source movement resides with licences such as the GPL and BSD.

There are a number of applications where OSS clear dominates the market not on the basis of price. In fact I know of no examples where OSS predominates on the basis of its perceived low price.

In the final analysis, I don't like standing behind a item of software where I do not have access to the source code. Do you think the fact that you cannot vouch for the correct operation or have a full understanding of the logic behind operations provided by commercial organisations hampers you in investigations?

 
Posted : 14/09/2004 2:10 pm
(@vigilante)
Posts: 2
New Member
 

I have to highly disagree with the illusion that open source tools may not pass muster in a hearing or court room. If you have ever testified in court (federal or other) regarding a computer criminal investigation, a defense attorney is going to pretty much question the use of ANY tool that you use and your training (and lack of forensic certification). Saying simply that you bought something off the shelf and alot of other people use it and it has been tested in court, therefore it's good…. is a fallacy.

I have rarely used a single COTS forensic tool to throw someone in jail. In fact, most of the tools that I use are freeware or "open source." dd, dcfldd, Task, Autopsy, AIR, MD5-SHA1, chkrootkit, pstools from Sysinternals and even iLook is free (although not open source). I've used programs that even I've written and have never been tested anywhere (and I'm a programming idiot). Many federal agencies, including the FBI use open source tools in their forensic examinations.

Very often forensics is simply the art of discovering new ways to uncover the facts and find out what happened, and often your not finding out the who's but the what's. Patch work forensics has a long history in the criminal justice system. For example, using superglue to lift prints, or pasting together a torn floppy disk. None of this was documented before it was first attempted.

The key to passing muster in court or any administrative or judical hearing concerning forensics is articulation and your knowledge of the tools you are using. At some point you are going to get slammed in court about something you did simply because the other attorney is doing everything they can to make you look like an a*s. If you can't articulate what you have done and what the tool is doing then you are in trouble. We already are in the hole right off the bat, especially after they get to the part about you not being licensed or regulated by the government to conduct computer forensics. You might as well know the tools you are using and practice articulating them to yourself before you even get there.

The bottom line is forensics is about extracting evidence and uncovering the hidden. No matter what gets argued in court, or how they slam your training, lack of regulation or government certification, tools, shoe size, IQ, or how out of shape I'm getting cause I'm eating too many carbs….the pictures of child pornography didn't will themselves onto the box and your tools didn't put them there. End rant….thank you for your support.

 
Posted : 16/09/2004 3:27 pm
(@vigilante)
Posts: 2
New Member
 

Now, in answer to Andy's original question (;-), has anyone imaged across a network. Yes…I think that is one of the coolest parts of forensics in fact. EnCase Enterprise edition does a good job of doing that if you want to shell out the dough. For law enforcement they have (or had) a field forensic module that did something similar but it was more limited. A co-worker and I generated an image of a couple linux forensic CD's and shipped them to someone with physical access to the system. They booted the subject system (a windows laptop) with the CD, gave it an IP, and at that point we MD5'd the image and used dd through netcat for the transport. We pumped the chunks into EnCase and it worked like a charm.

 
Posted : 16/09/2004 4:02 pm
Jamie
(@jamie)
Posts: 1288
Moderator
 

Vigilante,

Welcome to Forensic Focus!

I'm very interested in the various opinions surrounding the use of open source (or even ad-hoc) solutions in the courtroom and welcome further comments from those with experience in this area.

Jamie

 
Posted : 16/09/2004 6:07 pm
Page 1 / 3
Share: