?
Solved

What is the most stable/best software to create a forensic image of a server?

Posted on 2014-12-23
10
Medium Priority
?
714 Views
Last Modified: 2015-01-19
I have a client who need me to create a forensic image of one of their servers. Unfortunately, the server that I am imaging  has a RAID Volume that has a 7TB partition with almost 5TB of data. I am attempting to image to a NAS device that we have onsite. Tools I have used up to this point seem to crash part of the way through.
0
Comment
Question by:PROACTIVETG
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +1
10 Comments
 
LVL 64

Expert Comment

by:btan
ID: 40514974
Encase and FTK can be one option to explore but the software based cloning of huge TB and storing live into NAS can be slow and prone to network disturbance. I was thinking if using dd for bit copy and cross cable to NAS (or a physically  accessible staging store to be later pump over to NAS backup) in simplistic baseline be more stable and faster instead of over the wire across network.

But this article stated various means to acquire RAID server though it did not drill further but concluded and eventually concluded it is still viable with with the gigabit NIC in the target server to be cloned. The time taken is not impressive but definitely faster across the network and will get the job done.

There may be newer evolution schemes (or existing) that use image splitting since creating a large single case raw data dump is not filesystem performance friendly. FTKimager is another tool which the article shed steps in imaging that include specifying fragment size of image split. which we can hear from more experts too.

Overall, I perceive for stable cloning, direct may be better compared to dedicated n/w but restrictive in use case where physical access is not viable. However, forensic tool cloning coverage objective leans more towards cloning with integrity intact from source to destination and the remaining external factors and dependencies causing n/w errors tampering the data are beyond the tool control. A separate logical LAN for such cloning is preferred and during off peak, but it quite a hassle and probable direct will be more quicker as shared in the articles.
0
 
LVL 10

Expert Comment

by:Carlos Ijalba
ID: 40516132
One of the fastest drive cloning/backup software tools I have used is Drive Snapshot:

http://www.drivesnapshot.de/en/

Compatible with all Windows file systems (FAT16, FAT32, NTFS,ReFS), Supports Linux EXT2/3/4/Reiser/XFS, and compatible with all Windows RAID Methods, It can split the image file in different sizes to avoid storage destination problems.

But all this is just in case the server is running Windows.
0
 
LVL 47

Expert Comment

by:noxcho
ID: 40516138
Try Hard Disk Manager 15 Server Basic: www.paragon-software.com from its Boot CD.
What is the reason they want to take forensic image? Is this for court or are they meaning EXACT image by forensic?
0
Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

 
LVL 64

Expert Comment

by:btan
ID: 40516196
Casper is another potential candidate that support hardware RAID arrays and does verification on copy (Automatic Copy Verification) and also is able to resume clone if there are disruption (SmartResume).
http://www.fssdev.com/products/casper/specifications.aspx
 Note for support  of Windows Server 2008/2003, it is Casper Server Edition while the client based OS likw Windows 7/8 etc is its Tech Edition. Here is the matrix comparison http://www.fssdev.com/products/casper/productmatrix.aspx
0
 

Author Comment

by:PROACTIVETG
ID: 40516443
The image i need to create is for court, not just a backup.
0
 
LVL 64

Expert Comment

by:btan
ID: 40516461
encase and ftk are recognised. importantly, it is maintaining the chain of custody of the evidence to be submitted. As long it is verifiable proof with high integrity against tamper data, it is legally still valid. It should not be tool driven (as much as I hope so). To clarify for Casper, it does clone drive image (SmartClone, AccuClone) and not just backup
0
 

Author Comment

by:PROACTIVETG
ID: 40516466
Thanks. Would I be able to take an image using Casper and use one of the other forensic programs to seasrch through image? Meaning Does Casper create images in any of these formats IMG, DD, ISO,BIN, 000,001,NRG,SDI,AFF,AFD,AMF,.E01,S01 ?
0
 
LVL 64

Expert Comment

by:btan
ID: 40516481
Casper does bit copy however the img is direct copy to the destined drive e.g.
Casper can be instructed to clone the entire contents of one hard disk to another hard disk, or clone a specific partition/volume to another partition/volume. When using the Copy an entire hard disk method, Casper completely replaces the existing content of the destination device, master boot record, existing partition structure, etc.
so to get the img then encase and ftkimager may be more prefered.
0
 
LVL 47

Expert Comment

by:noxcho
ID: 40516588
For the court you need a spftware which is officially certified. First check in court or by lawer if there is any of such imaging software which is officially recognized and accepted.
As for the search - you can take backup with Paragon, mount the image using Windows Disk Manager as the image is in vhd or vmdk format. Then use Windows search.
0
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 40517218
if you take a look at this pdf from US DoJ, the case study stated the use of encase used by enforcement forensic investigator for imaging and also chain of custody (do see chapter 3 on Evidence acquisition that depicted the steps ) required for all admissible  evidence (proof authenticity from original author to holder)
https://www.ncjrs.gov/pdffiles1/nij/199408.pdf

one key point of acquisition is also that a write blocker capable tool or software is required such that the process will not taint the original evidence. The govt lab stated Forensicsoft SAFE (e.g.The Windows boot disk contains advance software write blocking technology that will block hardware RAID. This allows investigators to image the entire RAID volume at once.)
http://www.dfcsc.uri.edu/research/boot and http://www.forensicsoft.com/safe_compare_chart.php
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
We look at whether swapping a controller board on a failed hard drive is likely to solve the problem.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This Micro Tutorial will teach you how to reformat your flash drive. Sometimes your flash drive may have issues carrying files so this will completely restore it to manufacturing settings. Make sure to backup all files before reformatting. This w…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question