±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35750
New Yesterday: 1 Visitors: 112

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Imaging across a network

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4  Next 
  

Vigilante
Newbie
 

Re: Imaging across a network

Post Posted: Sep 16, 04 15:27

I have to highly disagree with the illusion that open source tools may not pass muster in a hearing or court room. If you have ever testified in court (federal or other) regarding a computer criminal investigation, a defense attorney is going to pretty much question the use of ANY tool that you use and your training (and lack of forensic certification). Saying simply that you bought something off the shelf and alot of other people use it and it has been tested in court, therefore it's good.... is a fallacy.

I have rarely used a single COTS forensic tool to throw someone in jail. In fact, most of the tools that I use are freeware or "open source." dd, dcfldd, Task, Autopsy, AIR, MD5-SHA1, chkrootkit, pstools from Sysinternals and even iLook is free (although not open source). I've used programs that even I've written and have never been tested anywhere (and I'm a programming idiot). Many federal agencies, including the FBI use open source tools in their forensic examinations.

Very often forensics is simply the art of discovering new ways to uncover the facts and find out what happened, and often your not finding out the who's but the what's. Patch work forensics has a long history in the criminal justice system. For example, using superglue to lift prints, or pasting together a torn floppy disk. None of this was documented before it was first attempted.

The key to passing muster in court or any administrative or judical hearing concerning forensics is articulation and your knowledge of the tools you are using. At some point you are going to get slammed in court about something you did simply because the other attorney is doing everything they can to make you look like an ass. If you can't articulate what you have done and what the tool is doing then you are in trouble. We already are in the hole right off the bat, especially after they get to the part about you not being licensed or regulated by the government to conduct computer forensics. You might as well know the tools you are using and practice articulating them to yourself before you even get there.

The bottom line is forensics is about extracting evidence and uncovering the hidden. No matter what gets argued in court, or how they slam your training, lack of regulation or government certification, tools, shoe size, IQ, or how out of shape I'm getting cause I'm eating too many carbs....the pictures of child pornography didn't will themselves onto the box and your tools didn't put them there. End rant....thank you for your support.  
 
  

Vigilante
Newbie
 

Re: Imaging across a network

Post Posted: Sep 16, 04 16:02

Now, in answer to Andy's original question (;-), has anyone imaged across a network. Yes...I think that is one of the coolest parts of forensics in fact. EnCase Enterprise edition does a good job of doing that if you want to shell out the dough. For law enforcement they have (or had) a field forensic module that did something similar but it was more limited. A co-worker and I generated an image of a couple linux forensic CD's and shipped them to someone with physical access to the system. They booted the subject system (a windows laptop) with the CD, gave it an IP, and at that point we MD5'd the image and used dd through netcat for the transport. We pumped the chunks into EnCase and it worked like a charm.  
 
  

jamie
Site Admin
 

Re: Imaging across a network

Post Posted: Sep 16, 04 18:07

Vigilante,

Welcome to Forensic Focus!

I'm very interested in the various opinions surrounding the use of open source (or even ad-hoc) solutions in the courtroom and welcome further comments from those with experience in this area.

Jamie
_________________
Jamie Morris
Forensic Focus
Web: www.forensicfocus.com
Twitter: twitter.com/ForensicFocus
Facebook: www.facebook.com/forensicfocus 
 
  

Chris
Newbie
 

Re: Imaging across a network

Post Posted: Oct 06, 04 12:34

Hi All

I have not personally imaged over a network but I have seen this done using EnCase Enterprise. As mentioned it is particularly expensive but I would say well worth the money for a big organisation. To be able to do it though a servlet must be placed on the PC that is to be imaged. Guidance swear that this servlet will stand up in court as not interfering with evidence just enabling remote imaging to take place. In a large organisation these servlets could be made part of the standard build making any PC immediately available to review and/or image.

Using enterprise over a network also enables you to review the RAM of a PC during an attack, something not possible when imaging a "dead" PC.  
 
  

hogfly
Senior Member
 

Re: Imaging across a network

Post Posted: Oct 07, 04 01:28

Being a huge proponent of Open Source tools (until I get my commercial tool set together that is..) The easiest way to image a disk across a network using opensource tools is using dd/sdd/dcfldd and netcat or cryptcat. No it's not fast but it works and it's free!

A quick method is to do this.
On the machine you want to create the image on, start a netcat listener and pipe it to a file as follows:

nc -l -p <arbitrary port> | dd of=/path/to/file
so: nc -l -p 10000 | dd of=/fevidence/case001.img

On the evidence machine, you would have to run something like this(from a clean media source):
dd if=/dev/hda | nc 1.2.3.4 10000

For those that question the accuracy of programs like dd, the NIJ released this report early this year: www.ncjrs.org/pdffiles...203095.pdf

A few Excellent tools are:

Helix: e-fense.com/helix/ --SANS is apparently using this in their GCFA courses now, and it was created by e-fense which does forensics work. I've been using it for a little while now, and it's awesome! It even has a windows Incident response capability that will do the dd | nc commands I outlined above.

F.I.R.E fire.dmzs.com/ --Great set of tools. Includes chntpw(NT offline reghack) and a cmos password cracker.  
 
  

jamie
Site Admin
 

Re: Imaging across a network

Post Posted: Oct 07, 04 16:44

I've been using Helix recently too, nice collection of tools.

Jamie
_________________
Jamie Morris
Forensic Focus
Web: www.forensicfocus.com
Twitter: twitter.com/ForensicFocus
Facebook: www.facebook.com/forensicfocus 
 
  

darmstadtj
Newbie
 

Re: Imaging across a network

Post Posted: Oct 07, 04 23:05

 

Page 2 of 4
Page Previous  1, 2, 3, 4  Next