±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36317
New Yesterday: 0 Visitors: 132

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Imaging across a network

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3, 4  Next 
  

jamie
Site Admin
 

Re: Imaging across a network

Post Posted: Oct 07, 04 23:33

I'd forgotten aboth the Odessa project, is it still alive?

(Welcome to Forensic Focus BTW)

Jamie
_________________
Jamie Morris
Forensic Focus
Web: www.forensicfocus.com
Twitter: twitter.com/ForensicFocus
Facebook: www.facebook.com/forensicfocus 
 
  

darmstadtj
Newbie
 

Re: Imaging across a network

Post Posted: Oct 08, 04 17:33

Thanks for the welcome...your site is great. Yes, ODESSA is still up and running from what I hear.  
 
  

Andy
Senior Member
 

Re: Imaging across a network

Post Posted: Oct 20, 04 17:51

I followed your link for Helix and downloaded the iso, Wow - I love it to bits.

Over the last week I have been imaging locally using it and the graphical dd front end - GRAB, also written by Helix's author. Its is fast and simplistic, and split the dd image without any trouble what-so-ever. What a cool peice of kit.

I have been practicing with it and can tell straight away its quite fast, it verifies an MD5 hash, and can compress an image - just like the EnCase accuire function. I did a 40 GB HDD with FAT32 file system in about an hour. Which as an alternative to using an expensive piece of hardware like Fastbloc is not to be sniffed at. I was able to import the dd image file into EnCase and examine the file structure.


Andy  

Last edited by Andy on Nov 16, 04 08:13; edited 2 times in total
 
  

jamie
Site Admin
 

Re: Imaging across a network

Post Posted: Oct 21, 04 18:53

Hmmm, I couldn't get GRAB to work and had to revert to the command line (good practice I guess!) Mind you I was using an ancient hardware setup...most of my time was spent fiddling with the HELIX startup options just to bring up the screen Mad

Jamie
_________________
Jamie Morris
Forensic Focus
Web: www.forensicfocus.com
Twitter: twitter.com/ForensicFocus
Facebook: www.facebook.com/forensicfocus 
 
  

Andy
Senior Member
 

Re: Imaging across a network

Post Posted: Oct 22, 04 09:33

Hi Jamie, a mistake I made at first was that I forgot to mount the target drive at /mnt/mynamedfolder. You have to do this at the command line (I used the forensic shell).

It needs to be done like this: mkdir /mnt/mynamedfolder (I used ‘dest’ as my destination folder name).

I had a source drive as hdb1 and my target hda1.

Then I used the command mount –t auto –o rw /dev/hda1 /mnt/dest

This mounted my destination drive hda1 read/write mode. I then powered up GRAB and selected hdb as source and manually typed /mnt/dest in the destination field.

GRAB then trundled away imaging, and verifying at the end. It was quick, far quicker than I expected. GRAB also allows you to compress the final image file (just like EnCase).

I was able to add the final raw DD image file into EnCase, find the boot record and directory entry at sector 63 and rebuild the file structure. Bang there it was ready for investigation in EnCase.

I don't know why you had startup problems with it? It worked fine for me, I just allowed it to boot and it worked just fine. You might want to check you got the whole iso downloaded correctly, check its MD5 hash against the one listed on the web site. You might have a corrupt download. I had a simliar problem with PSK - Knoppix a while back.

Andy  
 
  

jamie
Site Admin
 

Re: Imaging across a network

Post Posted: Oct 22, 04 10:33

Thanks Andy. It's been a couple of weeks since I used HELIX and to the best of my recollection I was mounting the target drive correctly before trying to use GRAB (or, more accurately, I'd already gone through the stage where I thought "Why isn't this working?" and then realised the drive wasn't mounted Embarassed )

I suspect the problem may have just been the age and inadequacy of the hardware I was using at the time (a very old, low RAM PC). That accounted for the startup problems at least, I had to boot using the "failsafe" mode and set the screen refresh rates manually before I could get things up and running (the MD5 was OK).

I plan to try HELIX again on a more suitable platform soon!

Jamie
_________________
Jamie Morris
Forensic Focus
Web: www.forensicfocus.com
Twitter: twitter.com/ForensicFocus
Facebook: www.facebook.com/forensicfocus 
 
  

mdornseif
Newbie
 

Re: Imaging across a network

Post Posted: Oct 29, 04 19:43

At md.hudora.de/presentat...ensics2004 there is a slide deck concerning imaging on Unix. The slides are in German but in slides 24-33 there are examples of many ways to get an image from A to B on an Unix machine.

If you image via a network you should be prepared to answer questions on how you ensured the integrity and confidentiality of the image. People tend to use netcat with an encryption program in the pipeline or "cryptcat" on untrusted networks to solve that problem.

I do not recommend netcat at all because I consider the command line syntax inconsistent and I'm missing encryption in netcat. Personally instead of netcat or cryptcat I use socat ( www.dest-unreach.org/socat/ ) a very simple and yet powerful tool. socat can do basically everything possible with filedescriptors and since in Unix everything of interest is a filedescriptor you can do everything with socat ;-)

My prefered way of using socat to get images from 'evidence' to 'fileserver' is:

fileserver % socat openssl-listen:1234 > /imagefiles/evidence.image

evidence % dd if=/dev/hda bs=8192 | socat - openssl:fileserver:1234

Note that this still does not protect you from anybody using a MiM attack to snoop on or modify the image in transit between 'evidence' and 'fileserver'. To protect against that you need to use OpenSSL certificates which is a somewhat uncomfortable thing.

Note also that the dd is in fact completely superfluous. It has no special magic to "read from a harddisk": A hard disk on Unix is just a file. So every tool which can read from a file has the potential to image a harddisk. You could do something like

evidence % socat -u open:/dev/hda openssl:fileserver:1234

to image over the network. I advice against that since even NIST acts as if dd adds something special to the imaging process (see www.cftt.nist.gov/disk...ing.htm#). So better keep using dd and avoid explaining to a jury why you used something different than "the best currentpractice of using dd".

If you have only the most basic tools at hand and no netcat or socat you also can use ssh to do imaging over the network. Assuming your fileserver is running sshd you can type:

evidence % dd if=/dev/hda bs=8192 | ssh [email protected] "cat > /imagefiles/evidence.image"

Regards

Max  
 

Page 3 of 4
Page Previous  1, 2, 3, 4  Next