|
Home > Support Home > Articles > How to Acquire a Drive Safely
How to Acquire a Drive Safely
The acquisition of a hard drive can be performed six different ways:
Local: "DOS Drive to Drive"
The DOS Local Method means that you are booting into a DOS boot disk and:
- Acquiring the suspect's hard drive from within your own computer, or
- Acquiring the suspect's hard drive in their computer with your storage hard drive in their computer.
CAUTION: To perform this, you need to make certain that the computer containing the suspect hard drive will boot from floppy ONLY. This is exceptionally important because if you accidentally boot up into Windows, you will write to the subject's hard drive. Be careful and double check every step.
- Create a Barebones Boot disk as described here
- With the power turned off the suspect machine, unplug both the power and data connectors from the suspect hard drive
- Boot the computer that you intend to use to perform the acquisition. When it is booting, enter the BIOS using the proper key combinations (Often the Delete Key or F2 Key)
- Change the Boot order such that it is impossible to boot to a hard drive
- Save the changes and reboot the machine to test this
- Power off the machine and insert the boot disk into the floppy drive
- Connect the suspect drive and target drive (Which has been formatted using FAT32)
- Turn on the machine and boot into DOS
- Type EN to launch EnCase for DOS
- Confirm that the suspect's hard disk is locked
- Unlock the target drive and choose to Acquire the disk representing the suspect's hard drive
- Choose the storage path for the target drive
- Fill in the required remaining fields and the acquisition will begin
- Once the acquisition is finished, exit EnCase for DOS and turn off the computer
- Now remove the power and data cables from the suspect hard drive
Local: "Linux Drive to Drive"
The Linux Local Method means that you are booting into a Non-Auto Mount distribution of Linux and:
- Acquiring the suspect's hard drive from within your own computer, or
- Acquiring the suspect's hard drive in his/her computer with your storage hard drive in his/her computer.
CAUTION: To perform this, you need to make certain that the computer containing the suspect hard drive will boot from your Non-Auto Mount Linux system ONLY. This is exceptionally important because if you accidentally boot up into the suspects operating system, or if your distribution of Linux "Auto-Mounts" the suspects hard drive, you will write to the subject's hard drive. Be careful and double check every step.
- Prepare your Linux System by disabling the automount feature as follows:
- SuSE 9.1
- Run Yast
- Open the Runlevel Editor
- Make sure the autofs feature is disabled
- Red Hat
- Run Services
- Open the Runlevel Editor
- Make sure the autofs feature is disabled
- Edit your Runlevel so that the system boots into console mode
- Locate and edit the inittab file located in the /etc folder
- Find the line that reads "id:5:initdefault" and change the '5' to a '3'
- Copy the LinEn program to your Linux computer
- Turn off the Linux computer
- Attach the suspect Hard drive and a FAT32 formatted target drive to the computer
- Turn on the Linux computer
- Create a Mount Point for your FAT32 storage hard drive by typing "mkdir /mnt/FAT32"
- Determine the hard drive device name by examining the output of the command "fdisk -l"
- As a general reference, Linux follows the below naming conventions:
- hda - Primary Master
- hdb - Primary Slave
- hdc - Secondary Master
- hdb - Secondary Slave
- SCSI, USB and FireWire devices are labeled as sda, sdb, sdc, etc…
- Mount the storage partition to the mount point by typing "mount /dev/hdx# /mnt/FAT32" Where 'hdx#' is the drive and partition you found above in step 8 (Example: hda3)
- Navigate to the location where you copied the Linen program and execute it by typing "./linen"
- Select Acquire
- Specify the target location, which should be "/mnt/FAT32"
- Fill in the remaining required fields and the acquisition will begin
- Once the acquisition is finished, exit EnCase for Linux
- Type "init 0" to shut down the Linux computer
- Now remove the power and data cables from the suspect hard drive
Local: "FastBloc"
FastBloc is Guidance Software's solution to allow forensic acquisitions of IDE hard drives to take place in Windows. The FastBloc is a physical write-block device that prevents writes to local hard drives that Windows would otherwise write to.
FastBloc "Classic" connects to a desktop or laptop through a SCSI cable to a SCSI controller card in the Forensic computer.
FastBloc IDE connects to a desktop or laptop through an IDE ribbon cable, attaching to an IDE port of the Forensic computer's motherboard.
FastBloc FE connects to a desktop or laptop using a USB or FireWire connection.
- With the examiner computer turned off, One of the above FastBloc devices are attached to the computer
- Next, the suspect hard drive is attached to FastBloc using the supplied IDE ribbon cable
- Once the jumpers are configured as "Master" on the suspect hard drive, FastBloc is turned on
- Now the examiner computer is turned on and allowed to boot into Windows
- Once the computer is fully booted, launch EnCase
- Create a new case in EnCase and click the Add Device button
- Choose Local Devices and click Next
- Choose the device that has been protected by FastBloc and click Next
- Click Finish on the Preview Devices screen
- From the left pane, Right-Click the hard drive icon and choose Acquire
- Choose your after Acquisition Options and click Next
- Enter the required and optional information and click Finish
NOTE: While there are a large variety of other write blockers that may be used in the place of FastBloc, EnCase will only mark FastBloc devices as "write blocked" in the report. If you are using other write blockers and are having difficulties acquiring hard drives using them, please contact the write blocker manufacturer for specific technical assistance with their product.
Remote: Network Cross-over Cable Method
Please see our detailed article on Performing the Crossover Network Cable Acquisition.
Remote: Parallel-port Method
The Parallel-port method is best suited for when the network acquisition fails, and when it is impossible or impractical to remove the suspect hard drive. The Parallel-port method is the slowest way to acquire.
CAUTION: To perform this, you need to make certain that the suspect computer will boot from floppy ONLY. This is exceptionally important because if you accidentally boot the suspect computer into their operating system, you may write to the suspect's hard drive. Be careful and double check every step.
- Create a Barebones Boot disk as described here (Need to link to new support article on how to create a barebones boot disk)
- With the power turned off the suspect machine, unplug both the power and data connectors from the suspect hard drive
- Boot the suspect machine. When it is booting, enter the BIOS using the proper key combinations (Often the Delete Key or F2 Key)
- Change the Boot order such that it is impossible to boot to a hard drive
- Save the changes and reboot the suspect machine to test this
- Power off the suspect machine and insert the boot disk into the floppy drive
- Re-connect the suspect drive
- Connect both machines using the parallel port cable that was included with EnCase
- Turn on the suspect machine and boot into DOS
- Type "EN/s" to launch EnCase for DOS in server mode
- Now turn on your examiner machine and boot into Windows
- Once the computer is fully booted, launch EnCase
- Create a new case in EnCase and click the Add Device button
- Choose Parallel Port and click Next
- Choose the hard drive device on the suspect computer and click Next
- Click Finish on the Preview Devices screen
- From the left pane, Right-Click the hard drive icon and choose Acquire
- Choose your after Acquisition Options and click Next
- Enter the required and optional information and click Finish
Enterprise: EnCase® Enterprise Method
The EnCase Enterprise method is best suited for acquisition of machines physically located long distances from where the examiner is or for instances where the suspect machine must be kept "live" and cannot be shut down. The Enterprise method requires that the Examiner owns EnCase Enterprise or EnCase Field Intelligence Model.
- Have your SAFE Administrator push a servlet to the desired machine on the network
- Have your Keymaster add the new machine to the network tree and assign the machine to your id
- Launch EnCase and logon to the SAFE
- Start a new case, choosing the proper role
- Click Add Device and Expand the Enterprise folder
- Find and select the Name or IP Address of the node you intend to acquire and click Next
- Choose the hard drive device on the suspect computer and click Next
- Click Finish on the Preview Devices screen
- From the left pane, Right-Click the hard drive icon and choose Acquire
- Choose your after Acquisition Options and click Next
- Enter the required and optional information and click Finish
|
| |
|