Microsoft Word EnCase Forensic Version 11 User's Guide doc
Yüklə 2,21 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Viewing the License for LinEn
- Creating a LinEn Boot Disc
- Tools > Create Boot Disc
- Alter Boot Table
- Configuring Your Linux Distribution
- LinEn Set Up Under SUSE
- Main Menu > System > Configuration > YaST
- Main Menu > System Settings > Server Settings
46
EnCase Forensic Version 6.11 Userʹs Guide
The LinEn™ utility runs on the Linux operating system and facilitates the following functions:
Performing drive‐to‐drive acquisitions Performing crossover acquisitions LinEn runs independently of the Linux operating system thus improving acquisition speeds, and runs in 32‐bit mode (rather than 16‐bit mode). Because Linux provides greater device support, LinEn can acquire data from a larger set of devices. As with other operating systems, to prevent inadvertent disk writes, modifications to the operating system need to be made. Linux typically has a feature called autofs installed by default. This feature automatically mounts, and thus writes to, any medium attached to the computer. Instructions in this chapter describe how to disable this feature to protect the integrity of your evidence.
LinEn must be running, and you must be on the LinEn main screen. To view the license for LinEn: 1.
Press L. The license displays. 2.
The LinEn main screen displays.
Using LinEn 47
If you want to run LinEn on the subject machine, you need to create a LinEn boot disc. When you create a LinEn boot disc, it is important to choose a ʺLiveʺ Linux distribution, as these types of distributions are designed to run straight from the CD or DVD and do not install themselves on the subject machine. You must have an ISO image of the live Linux distribution you want to use, such as Knoppix. Knoppix is one of the popular live distributions. Note: As it is not practical to modify the settings of a live Linux distribution, ensure that the live distribution does not automatically mount detected devices. To create a LinEn Boot disc 1.
Using your EnCase application on the investigatorʹs machine, click Tools > Create Boot Disc. The Choose Destination page of the Create Boot Disk wizard displays. 2.
The Formatting Options page of the Create Boot Disk wizard displays. 3.
Provide a path and filename to the ISO image you downloaded earlier, optionally click Alter Boot Table, and click Next. The Copy Files page of the Create Book Disk wizard displays. 4.
The file browser opens. 5.
Enter or select the path to the LinEn executable, normally c:\program files\encase6\linen , click OK, then click Finish. The Creating ISO progress bar displays on the Copy Files page. Once the modified ISO file is created, the wizard closes. 6.
help with this, refer to the instructions that came with your software. You now have a boot disc to run Linux and LinEn while you acquire the subject Linux device.
48
EnCase Forensic Version 6.11 Userʹs Guide
Before LinEn can run on Linux, you must configure Linux distribution. Due to the nature of Linux and its distributions, only the following standard distributions are discussed:
SUSE 9.1 Red Hat
Knoppix
Note: Because of the dynamic nature of Linux distributions, It is recommended that you validate your Linux environment before using it in the field. The process describes an ideal setup process that effectively runs the LinEn application in a forensically sound manner. Many distributions provide autofs as the means auto‐mounting anything attached to the Linux system. It is essential that autofs is disabled to prevent auto‐mounting.
A Linux distribution can be obtained from any Linux vendor. If you intend to use a LinEn boot disc, you will need a live distribution, such as Knoppix, in order to create a boot disc. If you intend to run LinEn on a installed version of Linux on your forensic machine, we recommend using SUSE or Red Hat. For the Linux distributions discussed in relation to LinEn, obtain a distribution from one of the following:
For the latest SUSE distribution, go to the http://www.novell.com/linux/ (http://www.novell.com/linux/) website.
For the latest Red Hat distribution, go to the http://www.redhat.com/ (http://www.redhat.com/) website.
For the latest Knoppix distribution, go to the http://knoppix.com/ (http://knoppix.com/) website.
Using LinEn 49
You must already have SUSE installed on your Linux machine. 1.
Copy the LinEn executable from C:\Program Files\EnCase6 on your Windows machine to the desired directory, /usr/local/encase on your Linux machine. 2.
3.
Enter chmod 777/usr/local/encase/linen . This changes the permissions on the LinEn executable, so that it can be executed by everyone. 4.
Close the command shell. 5.
Click Main Menu > System > Configuration > YaST. Yet Another Setup Tool (YaST) is used to configure various settings for your Linux operating system. 6.
7.
Ensure that autofs is disabled LinEn Set Up Under Red Hat You must have Red Hat installed on your Linux machine. 1.
C:\Program Files\EnCase6 on your Windows machine to the desired directory, /usr/local/encase on your Linux machine. 2.
Open a command shell on your Linux machine. 3.
Enter chmod 777/usr/local/encase/linen . This changes the permissions on the LinEn executable, so that it can be executed by anyone. 4.
5.
Click Main Menu > System Settings > Server Settings. 6.
Ensure that the autofs is disabled. Yüklə 2,21 Mb. Dostları ilə paylaş:
|