Create an account Home  ·  Topics  ·  Downloads  ·  Your Account  ·  Submit News  ·  Top 10  
Modules
· Home
· Content
· FAQ
· Forensic Downloads
· Forensics Feedback
· Forums
· Members List
· Statistics
· Surveys
· Top 10
· Topics
· Training Reviews
· Web Links
· Your Account

Our Membership

Latest: ant888
New Today: 3
New Yesterday: 0
Overall: 29286

Computer Forensics
This is a free and open peer to peer medium for digital and computer forensics professionals and students. Please help us maintain it by contributing and perhaps linking to us from your own website.

Recent Posts

 Hash calculation between image and original file
 Final Year Project
 Android devices with PIN screen lock and without USBdebb. on
 Can file creation and modifications on pendrives be found?
 Viewing real MAC times of a timestomped file

Computer Forensics World Forums


Pages Served
We received
49944971
page views since August 2004

Security Sources

FTC
OnGuard Online
ISO 17799 ISO 27001
ISO 27000 Toolkit
ISO 27001 & 27000
Cryptography
Security Policies

Computer Forensics World: Forums

Computer Forensics World :: View topic - How make a remote image
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

How make a remote image

 
Post new topic   Reply to topic    Computer Forensics World Forum Index -> General Computer Forensic Issues
View previous topic :: View next topic  
Author Message
OneZ
Newbie
Newbie


Joined: Jan 06, 2015
Posts: 7

PostPosted: Wed Jan 07, 2015 6:02 am    Post subject: How make a remote image Reply with quote

Hello again,

How can I make an image for a remote computer (in general) that I have no physical access to?

Also, how can I make an image for an Amazon EC2 instance? (beside a snapshot)

Thank you.
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Wed Jan 07, 2015 10:45 am    Post subject: Reply with quote

What access do you have to the computer?

You could serve a warrant on Amazon, go to their data center, image the storage.












LOL. No really, what kind of "image" do you hope to make?
Back to top
View user's profile
OneZ
Newbie
Newbie


Joined: Jan 06, 2015
Posts: 7

PostPosted: Wed Jan 07, 2015 12:44 pm    Post subject: Reply with quote

Haha Very Happy

Let's assume I have full access to the computer.
And let's suppose 2 cases. First one the machine is running Windows and the second one the machine is running Linux.

If I don't have access to the machine I can't make an image, right?

I hope to make a forensic image that can be used for forensic analysis.

Thanks.
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Thu Jan 08, 2015 12:52 pm    Post subject: Reply with quote

"Full access" is not a description of remote access. The OS may determine/limit the type of remote access you have but is otherwise irrelevant.

How do you propose connecting to EC2 to make an image? What are you running on EC2? Is it an OS you have enough permissions on to run NBD Server? Or some other tool on the remote OS?

You need to provide a LOT more info for your scenario.
Back to top
View user's profile
OneZ
Newbie
Newbie


Joined: Jan 06, 2015
Posts: 7

PostPosted: Fri Jan 09, 2015 6:36 am    Post subject: Reply with quote

Ok.

The EC2 instance is an Ubuntu server. I can connect via SSH. I have the private key for connecting.

I would like to simply take a forensic image of the drive with minimum interaction with the remote machine. I mean without installing much or any services on the remote machine.

Isn't it forensically better not to install anything on a machine that you would like to take an image of? Or is considered ok to install some tools to take such an image?

Thank you.
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Sat Jan 10, 2015 2:45 pm    Post subject: Reply with quote

OneZ wrote:
Isn't it forensically better not to install anything on a machine that you would like to take an image of? Or is considered ok to install some tools to take such an image?
If you are asking that question you need to stop and hire a professional who can properly document and properly preserve data from a remote acquisition.

There are several tools that can do this technically, however there is more to forensics that being technically able to do something. For example what are the legal precedents in your jurisdiction for capturing data remotely? What if the data on the Amazon server is in a different jurisdiction? Or country?
Back to top
View user's profile
OneZ
Newbie
Newbie


Joined: Jan 06, 2015
Posts: 7

PostPosted: Sun Jan 11, 2015 4:33 am    Post subject: Reply with quote

Thanks again.

I'm just doing a simple research on forensic in cloud environment.

Let's forget about jurisdiction and similar stuff and concentrate on technical stuff.

So my question is simple: once I've acquired an image of an EC2 EBS drive, doesn't the situation become the same as if I have acquired an image from a local disk? I mean what's the difference? Isn't acquiring the image from a cloud environment is the hard part? Or there is something else that I'm missing?
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Mon Jan 12, 2015 12:15 pm    Post subject: Reply with quote

My response was as much technical as procedural.

If you are only allowing for minimal interaction with the remote server, I am not sure how you would make an image.

How are you going to SSH into the Windows VM? Is SSH installed and running on the Linux VM?

What tool are you going to use on the Windows VM to create the forensic image?

On both VMs where are you going to send the forensic image?

And yes, a forensic image created when you have a local hard drive is effectively the same as a forensic image created from a remote computer.
Back to top
View user's profile
OneZ
Newbie
Newbie


Joined: Jan 06, 2015
Posts: 7

PostPosted: Mon Jan 12, 2015 1:33 pm    Post subject: Reply with quote

Here is how I took/trying to take an image.

1. Using EnCase Remote Recovery (trial for 14 days):
1.a: on Windows, I connected via Remote Desktop, copied the servlet nad started it (it basically to allow the client on local machine to connect). Now I can use the client on my local machine to explore and acquire an image of the EC2 instance. This on worked.
1.b: on Linux, I tried the same thing. However, the servlet is not working for some reason.

2. FTK Lite (this version does not require installation):
2.a on Windows, I connected via Remote Desktop while sharing one of my local disks where FTK Lite resides. On the remote machine I navigate to my local disk, run FTK Lite and start the acquisition. Since I'm sharing my local disk I can instruct FTK Lite to store the image on it. However, around 10% FTK Lite stop sending any data. I don't know if it's a problem with FTK itself or Remote Desktop.
2.b: I don't know how to do the same thing on Linux.

3. I'll try the snapshot feature of EC2.

Do you have any ideas on how to acquire a remote image using free tools?

Thank you.
Back to top
View user's profile
PreferredUser
Newbie
Newbie


Joined: Jan 01, 2007
Posts: 1130
Location: USA

PostPosted: Tue Jan 13, 2015 11:54 am    Post subject: Reply with quote

There are a lot of open source tools, I would recommend reading Carvey's articles on the Forensic Server Project.
Back to top
View user's profile
roshedwardd
Newbie
Newbie


Joined: Mar 23, 2015
Posts: 3

PostPosted: Mon Mar 23, 2015 9:36 pm    Post subject: Hello Reply with quote

The image size should be a multiple of MBs. If you try to upload an image that is not an exact multiple, the upload will fail.
The image size must be 127 GB or smaller.
It must be on a VHD file (VHDX files are not currently supported).
The VHD must not be a generation 2 virtual machine.
The VHD can be either fixed-size or dynamically expanding. A dynamically expanding VHD is recommended because it takes less time to upload to Azure than a fixed-size VHD file.
The disk must be initialized using the Master Boot Record (MBR) partitioning style. The GUID partition table (GPT) partition style is not supported.
The VHD must contain a single installation of Windows Server 2012 R2. It can contain multiple volumes, but only one that contains an installation of Windows.
The Remote Desktop Session Host (RDSH) role and the Desktop Experience feature must be installed.
The Remote Desktop Connection Broker role must not be installed.
The Encrypting File System (EFS) must be disabled.
The image must be SYSPREPed using the parameters /oobe /generalize /shutdown (DO NOT use the /mode:vm parameter).
Uploading your VHD from a snapshot chain is not supported.
Back to top
View user's profile Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Computer Forensics World Forum Index -> General Computer Forensic Issues All times are GMT + 10 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB 2.0.10 © 2001 phpBB Group
phpBB port v2.1 based on Tom Nitzschner's phpbb2.0.6 upgraded to phpBB 2.0.4 standalone was developed and tested by:
ArtificialIntel, ChatServ, mikem,
sixonetonoffun and Paul Laudanski (aka Zhen-Xjell).

Version 2.1 by Nuke Cops 2003 http://www.nukecops.com

Forums ©

 

TMs property of their respective owner. Comments property of posters. 2007 Computer Forensics Science World.
Digital forensic computing news syndication: Computer Forensics Training News or UM Text
Software is copyrighted phpnuke.org (c)2003, and is free under licence agreement. All Rights Are Reserved.