imaging using encas...
 
Notifications
Clear all

imaging using encase, FTK and X-ways

10 Posts
8 Users
0 Likes
3,708 Views
(@afsfr)
Posts: 37
Eminent Member
Topic starter
 

I have used FTK before, now use encase and X-ways

for encase and X-ways, can it do live imaging of Linux memory ?

for portable encase imaging offsite, I find it can only do logic acquire (lx01 file), so how to capture live physical image (img file) using encase and X-ways?

do we have malware analysis tool to show malicious dll and api call in encase and x-ways?

in ftk, how to capture android image using ftk imager, there is no menu item? thanks

 
Posted : 11/12/2019 1:08 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

I have used FTK before, now use encase and X-ways

Based on your questions I have seen above, I strongly suggest that you start reading the manual for these products. And take a training. If you then have specific questions after your lecture and the training, you might get a helpful answer.

 
Posted : 11/12/2019 3:00 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Based on your questions I have seen above, I strongly suggest that you start reading the manual for these products. And take a training. If you then have specific questions after your lecture and the training, you might get a helpful answer.

Probably when dealing with 15000 breach tickets per month
https://www.forensicfocus.com/Forums/viewtopic/t=18217/
there is not enough time left for study or training.

jaclaz

 
Posted : 12/12/2019 11:05 am
(@hommy0)
Posts: 98
Trusted Member
 

EnCase has a few methods to acquire an evidence file of a live system

1) EnCase Portable can be configured to acquire a physical device into an EX01 or an E01

2) In “Program Files\EnCase8” there is a command line tool cool WinAcq. This can also be used to acquire an E01 of a live system

3) Using the EnCase Agent, create and deploy onto the target system. You will then be able to preview and acquire over the network. There are agents for Windows, Linux and macOS (including Catalina)

Regards

 
Posted : 12/12/2019 11:19 am
(@belkasoft)
Posts: 169
Estimable Member
 

in ftk, how to capture android image using ftk imager, there is no menu item? thanks

For Android imaging (as well as iOS and also computer devices) you can use a free Belkasoft Acquisition Tool. You can also consider commercial Belkasoft Evidence Center for some of tasks you described.

 
Posted : 12/12/2019 3:31 pm
(@afsfr)
Posts: 37
Eminent Member
Topic starter
 

EnCase has a few methods to acquire an evidence file of a live system

1) EnCase Portable can be configured to acquire a physical device into an EX01 or an E01

2) In “Program Files\EnCase8” there is a command line tool cool WinAcq. This can also be used to acquire an E01 of a live system

3) Using the EnCase Agent, create and deploy onto the target system. You will then be able to preview and acquire over the network. There are agents for Windows, Linux and macOS (including Catalina)

Regards

Thank you for your suggestion, for live acquire for Linux image, I think we need to use dd image, currently my forensic workstation is windows10, portable is created from there, if I bring my laptop running windows8, portable encase, tableau write block and go to the data center, acquire a red hat Linux V7 image in dd format, is it ok? or I should use Encase or Helix bootable Linux cd with LinEn and acquire in img format?

also if I get the Linux image and import to my windows forensic workstation, which is NTFS partition, would it be able to View linux Ext partition? I need to analyze Linux process info, Linux mac timestamp as well as malicious rootkit in ELF format, strace of ELF file, would it be possible, is there any enscript I can use to parse Linux image in windows version of Encase?

 
Posted : 13/12/2019 7:45 am
(@hommy0)
Posts: 98
Trusted Member
 

There is only a Windows version of EnCase.
It is has the ability and functionality to parse multiple file systems (other than NTFS, FAT, ExFAT) including EXT2,3, and 4
If you have taken a DD image you will need to add this as a RAW image.

Regards

 
Posted : 13/12/2019 10:57 am
(@aromal31)
Posts: 1
New Member
 

Excellent thread..!!!

 
Posted : 23/12/2019 11:50 am
kastajamah
(@kastajamah)
Posts: 109
Estimable Member
 

EnCase has a few methods to acquire an evidence file of a live system

1) EnCase Portable can be configured to acquire a physical device into an EX01 or an E01

2) In “Program Files\EnCase8” there is a command line tool cool WinAcq. This can also be used to acquire an E01 of a live system

3) Using the EnCase Agent, create and deploy onto the target system. You will then be able to preview and acquire over the network. There are agents for Windows, Linux and macOS (including Catalina)

Regards

We recently (within the last week) reached out to Guidance/OpenText regarding imaging Macs that have a T2 chip with Catalina over a network. They advised they are currently working on creating a new agent for Mac OS X Catalina that they hope to roll out next year. If you already have a solution, I would love to hear about it. I am currently tasked with overcoming imaging Macs over a network so I would be sincerely interested in any solution you have.

Here is a link to my post on FF and a response by Simon Key of Guidance/OpenText

https://www.forensicfocus.com/Forums/viewtopic/t=18238/

I look forward to hearing from you,

Kastajamah

 
Posted : 23/12/2019 12:39 pm
(@4n6pc)
Posts: 2
New Member
 

@kastajamah 

The below lists the recommended SAFE versions for recent macOS versions.

macOS ARM64 processor (Apple M1) Minimum SAFE Version 21.1.1.3

macOS Version 11 (Big Sur) Minimum SAFE Version 21.1
macOS Version 10.15 (Catalina) Minimum SAFE Version a.11
macOS Version 10.14 (Mojave) Minimum SAFE Version a.09
macOS Version 10.13 (High Sierra) Minimum SAFE Version a.06.01
macOS Version 10.12 (Sierra) Minimum SAFE Version a.03

 
Posted : 03/09/2021 3:14 pm
Share: