Sakaba, What you have outlined is a good description of the EnCase Enterprise Edition. You can image live Windows machines without taking them offline or disturbing operations. During imaging, the processor will operate around 40 percent utilization, allowing the enterprise functions to continuen and the machine can still serve data to the network. If the EnCase serlvet is not installed already as a service, you can run the trusted binary as a process in memory from removable media. You can also search, hash files, browse the file structure, etc to triage the machine. You can also image machines accross your WAN. The Windows version has been available for a year. The Linux version is installed at beta test sites, and the Unix version is in alpha. You can also examine dd images you have taken of previous drives. Several Fortune 100 companies are already using this technology, and evidence collected in this manner has been admitted in a US District Court. This is also used by law enforcement agencies executing search warrants that forbid the officers from taking networks down or disrupting business operations. You can obtain more info at http://www.guidancesoftware.com. Best, Jon Jonathan Bair Senior Director of Product Development Guidance Software -------------------------- Sent from my BlackBerry Wireless Handheld -----Original Message----- From: Sakaba <sakabaat_private> To: forensicsat_private <forensicsat_private> Sent: Mon Aug 11 01:53:14 2003 Subject: Re: Using dd.exe to make forensic images of NTFS drives Hi everyone, Thanks for your responses. I've tested with bootable linux (FIRE, Knoppix STD) and using the dd command works fine. Its just using dd.exe while live on windows. Some of you asked why I would want to do that. The reason is taking down servers to do investigations is not something we want to do unless we have a lot of evidence that it is life or death to begin with. You don't know this purely from examining the volatile data sources. I want the capability to take live images of windows machines without having to reboot them and without having to use thier binaries. The FIRE cd's forensic shell can be started simply by inserting the CD and pressing the button off autorun. It uses its own binaries and other than the minor changes from inserting the CD doesn't make changes that I would care about. I just wished it worked. Does anyone know of a tried and tested method of taking a live image off a running windows machine without taking it offline or rebooting to linux cd or anything else that would disrupt operations. Thanks, Sakaba -------------------------------------------------------------------------------- Get your free 15 Mb POP3 email @alexandria.cc Click here -> http://www.alexandria.cc/ ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Note: The information contained in this message may be privileged and confidential and thus protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 07:06:39 PDT