Oops.. Matt you are right I should have included a set of assumptions. There are several ways to sterilize your data to perform such operations. As I you and others that work in forensic *labs* are fully aware, The most efficient is to always works from an image that is mounted in read-only mode. Goes back to your need for a Encase Image conversion tool back into a raw image... ->Excellent<- idea. (Any Guidance Folks who read this list PLEASE speak up and give us your thoughts on this.) Ah yes... the big question how to do that with Windows since Microsoft doesn't have the equivalent to a loopback mount (none that Im aware of though I hope to be shown that Im wrong.) Am I incorrect? The assumption HERE is that we have a "RAW NTFS image" obtained using dd.exe (Unix Port) from the filesystem. 1. Either use a physical blocker on the drive if you have one. 2. Mount using loopback in Linux'O'Choice in Read-Only mode. NTFS is R-O by default. Then share the drive out over the network using Samba Server and mount on examining system using file shares and map it as a new drive. Voila! Read-Only, Sterile, NTFS solution for raw images (works with FAT filesystem too, but make SURE you mount using the read-only option.) 3. Age old DCFL technique using boot software to mount image, though I have never tested this using NTFS just FAT. Possible? 4. Encase... and other costly software. 5. You can "mount" raw images using software called Restorer2000. Well, I hope there are some other ways. I love new ideas and methods! The question is how to you examine a NTFS filesystem in a sterile state? Any other methods in use? Rob -----Original Message----- From: Matt Pepe To: Lee, Robert T. Cc: 'forensicsat_private' Sent: 3/18/2002 3:13 PM Subject: RE: Encase and data recovery Just a couple of points to note about this problem. First, the issue of using EnCase as an imaging solution. Since the "evidence" file created (the .enN files) is not a true image, searches against it can not be relied upon as being complete or accurate. You are forced to use EnCase or restore the image, where other issues come into play. Especially if you happen to be working on a unix filesystem. This is true of any proprietary imaging file format. Luckly, Guidance has finally incorporated the ability to load in raw image files ("dd", for instance). Most forensics *labs* stay away from using EnCase as an imaging solution. On the analysis side, it's great though. <opinion tag> I vote we lobby Guidance for a tool that can convert their proprietary file to a raw image. I have this funny feeling that if they don't offer it soon, other forensic processing suites may have the upper hand. </opinion tag> The second point is that Rob is entirely correct. If you have any suspicion that your results are not correct or complete, attempt to perform the operation with a different set of tools. Do not believe marketing material that states that collections of GNU or older (but reliable) DOS command line tools are not defensible in court. As long as you are familiar with the tools, aware of their shortcomings, and that the tools are acceptable (history of use, widely accepted by other experts) in this field, you should have few problems. One question though, Rob. Can you get the Unix port of these tools to run on a sterilized version of DOS? If not, the example you gave may have just modified your evidence (copy), given your DOS prompt and the fact that you are pointing to a physical device that we can only assume is a restored image. I'm sure that you could, but it would take a CD, or about 12 floppies to load the RAM disk with the libraries. I'm getting flashbacks to the 80's when my system didn't have a hard drive.. :) ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Mar 19 2002 - 07:32:35 PST