• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2106
  • Last Modified:

Best software for bit-level disk imaging for use in forensics

If I wanted to make a bit-level, perfect image copy of a hard drive on a computer I suspect has been hacked or tampered with, which software would you guys recommend I use? Out of the many packages I've seen, most require you to remove the hard drive, and then connect it to a forensics PC, but doesn't the simple fact of turning off the suspected system go against evidence preservation? NO ONE here is a forensics expert, but if there is an incident, we would like to do a preliminary search to determine if an intrusion has ocurred, and if so, then we would call in the big guns, but of course this means we need to create a mirror image of the drive to work on and not disturb the original, for when the big pros are called in. What say you?
0
Rudolph_C_Mancilla
Asked:
Rudolph_C_Mancilla
  • 3
  • 2
  • 2
  • +3
5 Solutions
 
ZaheerMasterCommented:
Rudolph,

I have seen many forensic data duplication packages such as this one:
http://www.vogon-forensic-hardware.com/index.php
But all require you to remove the hard disk.

If you did not want to remove the disk, you could create a drive image using Arconis's Trueimage
http://www.acronis.com/

My understanding is that when you begin an incident response, the most important files are the logs of the target system (assuming that logging was set up correctly to begin with). Either way, shutting down the system or making an image should not damage the log files in any way.

The only problem I can see with making a drive image is if you were looking for deleted files that might not be copied in an image. I'm not sure in TrueImage can copy empty drive sectors as well.

Hope this helps,
--Zaheer
0
 
ZaheerMasterCommented:
Rudolph,

Just a follow-up, this software can make forensic disk images:
http://www.vogon-forensic-hardware.com/imaging-software.php

This might be exactly what you're looking for.

--Zaheer
0
 
parkerigCommented:
Having just attended the 10th Annual Security Summit in NZ, the first and last advice on matters like this was DON'T.
Touch nothing and get the evidential experts in immediately.
If you touch the disk then your evidence can be thrown out in a court.

I know that this doesn't answer your question but I thought I'd share this with you.

Cheers
Ian
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
chris_calabreseCommented:
The question of whether to turn off the power or not is definitely a big one in the forensic world. The best thinhg to do if you can is to cause a system crash that will produce a memory image on disk as a crash dump. Most server-class systems have a special button that will do this for you, usually labeled something like NMI (non-maskable interrupt).

Otherwise, if this is a Unix system you could dump memory by doing a 'dd' of the /dev/*mem files and the memory files of any interesting processes in /proc (plus you'd want a snapshot of the 'ps -ef' output).

On a Windows system, you'd first need to load a utility that can dump memory. You should be able to find one by Googling for something like 'forensics windows memory dump'.

Once that's done, then you can safely power off the system to remove the disk if need be, though this may not be necessary. For example, one popular way to image drives is to boot to a boot-from-cd Linux distro like Knoppix (www.knoppix.org), mount the disk partitions, and then 'dd' the disk images to a network share or something similar.
0
 
FalconHawkCommented:
The police does it like this: If there is a system, whether is on or off, they DONT touch it at first. even no boot on-boot of as it may be boobytrapped. To make a copy, they link to a specific (cant remember what one) port of the harddisk, and make a copy to a new drive.

Now for the defence question: what if the police modified the harddisk to put my client into jail? The reaction on that is simple. As soon as the software finisches its copy, it creates a special "number" on the harddisk. it shows the number, ad the police must write it down. If there, for any reason, is any write acces to the disk, the number will be automaticly altered. So, if there is any modification, the number will be different, and then the defence can say: disk altered, evidence rejected. to investigate the disk, it must be made read only, so that the number stays intact.

Why does the police give itsself such a hard time? Well, since its really hard to prove you didnt mod a disk, they have to. The number generated cant simply be replaced, and is totally random. If a laywer suspects its altered, and the number is just replaced, he can ask for a re-copy of the drive, that must be identical (exept for the number) to the already availible disk. if that isnt the case, there must have been a write to it.

oh, before i forget to note: this is a little extention to parkerig post. I didnt really need that post to write this, but since he already wrote down something like me, i think he still owns some credit ;)
0
 
chris_calabreseCommented:
The 'number' you're talking about is probably a MD-5 or SHA-1 hash of the disk image.

From an eveidentiary rules standpoint, but his a good idea, but not necessary as long as you can show a 'chain of custody' for the evidence which means keeping the disk imsages in a locked area and keeping a log of who had access to the images and when.
0
 
Rudolph_C_MancillaAuthor Commented:
Let me give you an example of what I envision:

Let's say we suspect an intrusion but cannot be certain. We could unplug the server from the network and do nothing else, call in the forensics experts, then wait for hours to get a critical service restored. I can see that this would be the ideal method, as far as preserving evidence, but it certainly doesn't help our customers.

Now, let's say we suspect and intrusion but before calling in the big guns, we want to make a duplicate of the suspected hard drives, with full certainty that it is a perfect copy, then check the image for signs of intrusion, like checking logs, the registry, and whatever other tricks I can think of. If no signs are detected, we could restore services and monitor the server to see if any unusual activity reappears. If weird stuff is found, then we call the experts in. I know that this second option is kind of a gamble when you consider that we don't have an in-house expert, but I'd like to know if there's software I could use to create these images that has a proven track record when it comes to being used in courts, not to mention being foolproof if possible.
0
 
FalconHawkCommented:
chris_calabrese  wrote:
"The 'number' you're talking about is probably a MD-5 or SHA-1 hash of the disk image."
Yups, thats the one i meant. However, you are right the methode is indeed a long way around. The point is, i didnt make the idea, its the currently in use methode. But even trough its long, it will ensure the evidence wont be trown out. and on some cases, rejected evidence is the last you need.

Rudolph_C_Mancilla , you have a point when you say its not really customer friendly if you have to wait hours(or even days) till the experts show up. If you make a copy however, a lawyer can say you want to "frame" his client, and that you altered your harddisk before you made the copy before. trough this is kinda far in the wild, it can yield an unaccepted evidence warning.

But now another, practical thing. Lets say you managed to get a hacker, how are you gonna get him? if he lives in china, good luck finding him, and even better luck to get him before the court in china. of all the hackers in the world, only a few percent is actually caught, and even less are iven a punischment. Why? simply because the cost of tracking, the trial, the legal mumbo-jumbo and the like is more expensive in $ then it would be worth. And even IF you catch one, what would it be? Dont think you catch the number 1 hacker of the world. What you have is most times a wannabee, that failed to hide himself properly. Pros will use a public adress or hack a home PC, and then use it to do the trick. after that clean it up and presto, your safe.

Its not for nothing a hacker handbook sais: ïf you want to hack something good, try a small-middle size compagny, and never a goverment, or a larger one" This is simply explained since compagnies have to get profit, and they cant spend thousands of dollars and man hours on every single hacker. The goverments have infinite more time and resources to catch a hacker, and large compagnies most probally lose a lot on a succesfull attack, and can pay for a tracking team. But for smaller onse.... just keep them away from the door and your OK. and keep backups.... we cant make it inpossible, but we can make it as hard as possible :) (and dont get paranoia, there arent that many hackers, that you will get hacked 5 times every month)

0
 
Rich RumbleSecurity SamuraiCommented:
When you suspect intrusion, this is what is recommended,
unplug the network cable. And as mentioned, turning off the system is up for debtate, the current recommendation is to use all the built-in tools you can to offload or copy your valuable information. Back-up the registry, the event logs, TO A NETWORKED SHARE, or a USB stick etc... not to the HD of the suspect machine. You should also get screen shots of the task manager, and use the dir command to get a list off all files and locations and sizes
(from the root of the dirves... C:> not C:\documents and settings>)
dir * /A: /Q /S /T:  /4 >X:\hd-inventory.txt  (x: being a mounted share on another pc, OR if you've unplugged the network cable get a USB memory stick or USB "sled" IDE harddrive)
If you have the resource kit's installed there are numerous programs to help with the curent state of the machine. Also you don't have to install software for it to work, you can copy the program file folder from one machine to a CD and it should run, so if you install Ptrace from sysinternals on a PC, then copy the install directory to a CD, you can place that CD on the server and get the info off, or using a USB stick with the program dir on it.

A real forensics investogator will need the physical disc's to remain in the machine and probably employ some "undelete" utiltiy to look for info that was recently deleted. The biggest help are the log's of your M$ machine (if they are logging more than the default values) and the firewall log's. Cloning the DISK is good, and if the machine is turned off to do it, as long as you've tried to preserve any data you can with the tools already on the machine, you should be ok.

With reguard to evidence to be used in court, it's more of a debate of Authenticity than much else. You need to prove authenticity. look for Daubert and Frey cases to help you follow the guidelines of evidence preservation... Daubert and the Federal Rules of Evidence are preffered, http://www.forensic-evidence.com/site/ID/ID_FBI.html
http://www.fjc.gov/public/home.nsf/isitemap?openframeset
http://www.fjc.gov/public/home.nsf/autoframe?openform&url_r=pages/1100
-rich
0
 
Rich RumbleSecurity SamuraiCommented:
Was this information helpful?
-rich
0
 
Rudolph_C_MancillaAuthor Commented:
Thanks to all who posted their comments here, they opened my eyes to the different points of view in this matter. Having read what you said, I'm leaning towards contracting a professional forensics company, but I will include some basic steps in my incident response procedure, namely unplugging the machine and insuring it is isolated until the experts arrive. Perhaps in the future we will have an in-house certified forensics tech, but for now I will recommend we let someone who knows what to do handle this. Thanks again!
0
 
FalconHawkCommented:
Glad you can use our suggestion ;).

But be sure to keep one thing in mind: whats the possible profit of an in-house specialist, and is there a real "need"for him, or is he most times idle. I cant tell how big your company is, and what services it has. If its a bigger company, then an in house expert is quite a good idea, providing he isnt idle al the time. Best way is hiring a "security responce employee" who keeps an eye on the systems, and knows what to do if they fail.

Second thing is how likely a site gets hacked. People will more likely try to have a crack on microsoft, then on a website of a church. (weak example, but you get the point).

What also matters is your companys business. For one company a internet hack is worse then for others. If i have an internet security company, and my site would  get hacked, that would be a disaster. Think how that looks for potentional customers. Or what if a customers database gets deleted and you lose customer data?  
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 3
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now