Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3348
  • Last Modified:

Encase Network Drive Capture?

I have just started working with Encase 6.12.  I was quite familiar with FTK but a little confused by the features of Encase.  In FTK, it was quite simple to do imaging across the network.  I have researched this procedure in Encase and it seems to involve a lot of side steps.  My goal is to capture the network drive from another computer and image it onto my computer.  Does anyone know a good way of doing this.  Also, for anyone that uses this software in the industry, is it best to use a third party open source for this program instead of Encase for drive acquisition?  Thanks!
0
swinfosec
Asked:
swinfosec
  • 4
  • 2
  • 2
2 Solutions
 
MalleusMaleficarumCommented:
When you say "network drive from another computer and image it onto my computer".

Does that mean Workstation A has the C: drive and a mapped network Z:drive and you want to image the Z: drive through the network onto your forensics workstation?
Or
Does that mean you want to image the C: drive of another workstation onto your forensics workstation via the network?


0
 
maxchowCommented:
dcldd could be a good choice, included in Helix, the easiest way to get it work.
0
 
swinfosecAuthor Commented:
I want to image the C: drive of another workstation onto my forensics workstation via the network.  It seems that there is not a really good way to do this in Encase though.  I know of outside tools that can do this but wonder if their is any good way to do this in encase.
0
Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

 
MalleusMaleficarumCommented:
Assuming you are using Encase Forensic Edition 6.12 and not Encase Enterprise...

The vendor-approved method of doing an acquisition over the network is using a network boot CD, booting the system via that CD, and configuring the IP of the machine within the same range as your forensics workstation.  Then firing up LinEn and doing the copy via a network cross-over cable.  It is, most definitely, not an elegant setup.  The reason for this is that Guidance Software sells a product called Encase Enterprise that is designed to be used for network acquisitions.  As Encase Enterprise grew as a product, support for a "streamlined network acquisition" in Encase Forensic Edition kind of fell off.

Forensic Edition is primarily designed to have hard drives directly connected to your forensic workstation, either via directly connecting them to the motherboard or by using a USB to IDE/SATA adapter.

Currently, the method that I use when I need to do a network acquisition is to boot the target machine with a Helix CD.  Helix is a/was an open-source forensically sound Linux distribution of various forensic tools, one of which is LinEn, which is the Linux Encase network copy utility.  ( I say WAS because they recently went to also selling a pay-for version, but I think you can still download the free versions)

Since you are running 6.12, I figure you probably have access to the Encase User Manual which came with the product.  Chapter 4 is devoted entirely to using and configuring Linen.  

I wish I could tell you that there was an easier way, like an Encase provided boot disc, or some utility that came with Encase FE that you could run on the target machine, but this is the approved method.



0
 
swinfosecAuthor Commented:
I have used Helix before and it works quite well.  For the project then, I think I am going to do both a demonstration of directly connected media as well as the LinEn methods.  As the project is strictly limited to using the program itself (as its a Encase Demonstration Purely) that is what I will be limited to.  However, for my own knowledge what is an alternative way to make a forensic disk image with any non Helix open source programs?
0
 
MalleusMaleficarumCommented:
Helix has a slew of tools for making a disc image.  Linen is just the unix utility that is made specifically to work with Encase.  You could also use Helix (or any other linux live CD) and make a DD image of the drive, which would give you a bit-by-bit copy (assuming you used the proper flags at the command line).  The thing that makes helix special vs. say, Knoppix, is that helix is designed for forensics, and as such usually mounts drives read-only from the beginning, where-as with other open source solutions, you have to make sure you mount the disks read only.

Encase, I believe, will allow you to import in a DD image.  It didn't support this for a long long time, but they finally changed their mind around version 5 I believe.

The possible roadblock you could run into here from a legal standpoint is that you don't have any "proof" that the DD image is not corrupt or tampered with.  Encase actually takes every 64K of data and does a CRC checksum on it before writing it to the encase image file, then it does an MD5 of the whole disk and compares it to the hash of the disk.

Heck if you aren't super worried about the legal issues, you could even use most of the open source hard drive cloning utilities like g4u or clonezilla or the trinity rescue CD.
0
 
maxchowCommented:
with dcfldd, you can calculate hash value when it is create the image, after you save it to the storage, you can calculate the hash checksum with the image. and match with the dcfldd.

You have record the hash value there and maintenance a Chain of Custody, then it will accepted by the court.
0
 
MalleusMaleficarumCommented:
Original author:

Could you please look over your open questions in the forensics forum and close them if possible or provide additional comments?

thanks!

0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now