Difference between pages "Zero storage carving" and "How to make a simple forensic/investigation framework"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
Zero storage carving is the concept of using techniques to enable doing [[carving]] of meaningfull and processable chunks or files of uncompressed unencoded data on disks,
+
Often, forensic labs are overloaded and investigators complains about the long waiting time. The solution for both professionals is to reduce the amount of seized material.
disk-images or container files without the need for additional storage to be allocated for copies of the relevant data chunks or files.
+
Zero storage carving is sometimes also referred to as in-line carving.
+
  
Tools with support or facilities for zero storage carving include:
+
But how do you know if a computer is relevant without looking into it? And how to look into it in a fast and forensic acceptable way?
  
* [[tsk-cp]]
+
Many procedures are emerging around the world to allow the investigator to access seized computer data remotely, in a environment configured and maintained by the forensic professional. The investigator can perform an initial analysis, quickly pointing  the most important computers among all computers seized, speeding the subsequent forensic exam, which is more time consuming, and reducing the amount of computers in which the exam will be made.
* [[scalpel]]
+
 
* [[Photorec]]
+
==Hardware==
* [[CarvFs]]
+
* Storage server(s) - server(s) with large storage capacity to keep the sized disk images.
* [[LibCarvPath]]
+
* Samba server - to be accessed by the investigators.
* [[Ocfa Treegraph API]]
+
 
 +
==Software==
 +
*GNU/Linux
 +
*Samba
 +
*SquashFS
 +
*NFS(optional)
 +
 
 +
==Installation==
 +
*Storage server:
 +
**Install the GNU/Linux distribution of your choice.
 +
**Install the squashfs kernel-patch package and tools.
 +
**Install NFS or Samba to share the disk images with the 'Samba server'.
 +
**Install dcfldd, GNU ddrescue, or both, or stay with dd.
 +
 
 +
*Samba server:
 +
**Install the GNU/Linux distribution of your choice.
 +
**Install Samba.
 +
 
 +
==Usage==
 +
===On the Storage server===
 +
*Mirror the seized disk to a temporary folder:
 +
dcfldd if=/dev/sdXX of=/tmpstg/M090834/image.dd hash=md5 hashlog=/tmpstg/M090834/hashlog.md5 hashwindow=1G
 +
or
 +
ddrescue /dev/sdXX /tmpstg/M090834/image.dd /tmpstg/M090834/ddrescue.log
 +
*Compress the folder to a SquashFs image:
 +
mksquashfs /tmpstg/M090834 /storage/M090834.squash
 +
*Make sure the file is shared with the Samba server
 +
#cat /etc/exports
 +
/storage samba_server(ro)
 +
===On the Samba server===
 +
*Add a line in /etc/fstab to

Revision as of 15:53, 28 August 2009

Often, forensic labs are overloaded and investigators complains about the long waiting time. The solution for both professionals is to reduce the amount of seized material.

But how do you know if a computer is relevant without looking into it? And how to look into it in a fast and forensic acceptable way?

Many procedures are emerging around the world to allow the investigator to access seized computer data remotely, in a environment configured and maintained by the forensic professional. The investigator can perform an initial analysis, quickly pointing the most important computers among all computers seized, speeding the subsequent forensic exam, which is more time consuming, and reducing the amount of computers in which the exam will be made.

Hardware

  • Storage server(s) - server(s) with large storage capacity to keep the sized disk images.
  • Samba server - to be accessed by the investigators.

Software

  • GNU/Linux
  • Samba
  • SquashFS
  • NFS(optional)

Installation

  • Storage server:
    • Install the GNU/Linux distribution of your choice.
    • Install the squashfs kernel-patch package and tools.
    • Install NFS or Samba to share the disk images with the 'Samba server'.
    • Install dcfldd, GNU ddrescue, or both, or stay with dd.
  • Samba server:
    • Install the GNU/Linux distribution of your choice.
    • Install Samba.

Usage

On the Storage server

  • Mirror the seized disk to a temporary folder:
dcfldd if=/dev/sdXX of=/tmpstg/M090834/image.dd hash=md5 hashlog=/tmpstg/M090834/hashlog.md5 hashwindow=1G

or

ddrescue /dev/sdXX /tmpstg/M090834/image.dd /tmpstg/M090834/ddrescue.log
  • Compress the folder to a SquashFs image:
mksquashfs /tmpstg/M090834 /storage/M090834.squash
  • Make sure the file is shared with the Samba server
#cat /etc/exports
/storage samba_server(ro)

On the Samba server

  • Add a line in /etc/fstab to