±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 35636
New Yesterday: 8 Visitors: 183

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Forensics Distro for on-site ZFS analysis/Triage

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

R3D2
Newbie
 

Forensics Distro for on-site ZFS analysis/Triage

Post Posted: Nov 08, 17 04:11

I've faced a big issue recently, a NAS system (Freenas) with a very large array of disks (ZFS pools) was apprehended and for time-cost reasons we decided to use a Forensics Distro to analyze/triage/collect data... only to have every distro we got fail on us on recognizing the ZFS pools.

Later on we tried zfs for linux and searched for a freebsd forensics distro without much success. Have you got any experience on dealing with this? (without imaging/mirroring all of the disks)  
 
  

Bunnysniper
Senior Member
 

Re: Forensics Distro for on-site ZFS analysis/Triage

Post Posted: Nov 08, 17 10:48

- R3D2
Have you got any experience on dealing with this? (without imaging/mirroring all of the disks)


I am working in the Digital Forensic business and using FreeBSD for nearly twenty years...but i never had a case like the one you mentioned. So my knowledge is 100% theory....

If i were you:
- take the normal FreeBSD 11 iso file and boot it in a PC from CD/ DVD
- use the live mode only. The FreeBSD project states they do not modify anything and the underlying OS is not touched- from my experience, this is true. Nothing is modified unlesse you manually mount and write anything
- attach the NAS via SATA/ USB 3 or IEEE 1394 and put a physical writeblocker between
- mount the NAS with the mount command in r/o mode
- even if you cant use a writeblocker for any reason, FreeBSD does not touch a single bit if mounted r/o only
- to gain best performance, i would install FreeBSD to a physical machine and prepare this machine with common forensic tools to carve for the wanted files (Sleuthkit for example)
- md5 and sha1/ sha256 are builtin tools. Hash files before carving and after that to be confident nothing was tempered

good luck!

Robin  
 
  

mansiu
Senior Member
 

Re: Forensics Distro for on-site ZFS analysis/Triage

Post Posted: Nov 08, 17 11:25

- attach the NAS via SATA/ USB 3 or IEEE 1394 and put a physical writeblocker between


I am kinda curious how to connect a NAS to a physical writeblocker then to the workstation.  
 
  

Bunnysniper
Senior Member
 

Re: Forensics Distro for on-site ZFS analysis/Triage

Post Posted: Nov 08, 17 11:28

- mansiu
- attach the NAS via SATA/ USB 3 or IEEE 1394 and put a physical writeblocker between


I am kinda curious how to connect a NAS to a physical writeblocker then to the workstation.


If you have a look at the backside of the device, you usually find the above mentioned ports and not only a RJ45 jack. I assume there is a physical access to the device and not only a IP connection.  
 
  

mansiu
Senior Member
 

Re: Forensics Distro for on-site ZFS analysis/Triage

Post Posted: Nov 08, 17 12:28

i thought those ports should be host port, i am not sure if they can be configured as device port.  
 
  

athulin
Senior Member
 

Re: Forensics Distro for on-site ZFS analysis/Triage

Post Posted: Nov 08, 17 17:21

- R3D2
I've faced a big issue recently, a NAS system (Freenas) with a very large array of disks (ZFS pools) was apprehended and for time-cost reasons we decided to use a Forensics Distro to analyze/triage/collect data... only to have every distro we got fail on us on recognizing the ZFS pools.


I'd guess some kind of release issue, in which case it is important to know what ZFS releases you have been trying. Might also be local configuration issue, but I'm not an ZFS expert.

Might be as easy as locating a distro with the same ZFS release ... although if it was you would probably have identified it. But identifying the release seems likely to be important.

I'd start asking the experts ... i.e. ZFS experts. Try the FreeNSD community forum
You should have error logs from your attempts to pass on to them -- you did save boot logs?

Meanwhile I'd try to identify a boot disk, and possible ZFS configuration data on it. That might allow you to boot basic system, reconfigure ZFS to readonly, and reboot.

If I can't find one, I might settle for 'boot system normally, reconfigure relevant zfs volumes readonly, and proceed from there'. But not without having verified that readonly does what I want it do ... in that exact ZFS release that you have, so if you can't identify a boot disk, or ZFS release in some header, count on doing two boots: one just to identify ZFS and other things, the next once you've made a plan based on that information.  
 
  

R3D2
Newbie
 

Re: Forensics Distro for on-site ZFS analysis/Triage

Post Posted: Nov 19, 17 22:19

@athulin @Bunnysniper it seems that ZFS is a bit unexplored, I'm really bummed that I can't go "full lab mode" on this (right now) but I'm very thankful for your insight. We took some notes and will work on being better prepared next time.

@athulin sorry, no saved logs on our attempts with live distros (we didn't use the original boot system again after it was apprehended). I also believe it's probably a ZFS release issue.  
 

Page 1 of 1