Microsoft Word EnCase Forensic Version 11 User's Guide doc
Yüklə 2,21 Mb. Pdf görüntüsü
|
- Bu səhifədəki naviqasiya:
- Performing Acquisitions with LinEn
- Setup for a Drive-to-Drive Acquisition
- Doing a Drive-to-Drive Acquisition Using LinEn
- Acquiring Device Configuration Overlays (DCO) and Host Protected Areas (HPA)
- Acquiring a Disk Running in Direct ATA Mode
50
EnCase Forensic Version 6.11 Userʹs Guide
The EnCase LinEn utility provides the following methods of acquiring evidence from a subject drive:
Drive‐to‐drive acquisitions
Crossover cable acquisitions Drive‐to‐drive acquisitions provide the means to safely preview and acquire devices without using a hardware write blocker. Drive‐to‐drive acquisitions use either the subject machine or the forensic machine to perform the acquisitions. The Drive‐to‐drive acquisition speed can be significantly faster than EN.EXE and MS‐ DOS from previous versions, simply because Linux is a 32‐bit operating system. Crossover cable acquisitions require both a subject and forensic machine. This type of acquisition also negates the need for a hardware write blocker; however, it lends itself to situations where access to the subject machineʹs drive are difficult or not practical. This is the recommended method for acquiring laptops and exotic RAID arrays. This method is slower than a Drive‐to‐ drive acquisition because data is transferred over a network cable, and thus is especially sensitive to the speed of the network cards housed in both machines.
When a subject drive from the subject machine cannot be acquired via a crossover cable acquisition, the subject drive can be acquired via a drive‐to‐drive acquisition. Drive‐to‐drive acquisitions can be done in the following ways:
Running a LinEn boot disc on the forensic machine Running the LinEn utility from Linux already installed on the forensic machine
Running a LinEn boot disc on the subject machine Any of these cables can be used as a hard disk cable:
IDE Cable USB Cable
Firewire SATA
SCSI
Using LinEn 51
Figure 3 Setups for Drive‐to‐drive acquisitions with 1) the forensic machine, running LinEn from the LinEn Boot Disk, connected to the subject hard drive; 2) the forensic machine, booted to Linux and running LinEn, connected to the subject hard drive; 3) subject machine, running LinEn from the LinEn Boot Disk , connected to the target hard drive.
Once LinEn is set up, run LinEn, choose Acquire, then select the drive to be acquired and the storage path. Optionally, provide additional metadata. Configure LinEn as described in LinEn Setup, and verify that autofs is disabled (unchecked). The investigator has identified the subject drive to be acquired and the storage drive that will hold the acquired evidence file.
52
EnCase Forensic Version 6.11 Userʹs Guide
1. If the FAT32 storage partition to be acquired has not been mounted, mount the FAT32 storage partition. 2.
Navigate to the folder where LinEn resides and type ./linen in the console to run LinEn. The LinEn Main Screen displays.
Select Acquire. The Acquire screen displays.
4. Choose the physical drive or logical partition you wish to acquire.
Using LinEn 53
The Acquire Device 5.
For the data elements requested by the Acquire dialog, either accept the default, or enter a value or choose one of the alternatives, as described in Specifying and Running an Acquisition. 6.
Press Enter. The Acquire Device dialog requests additional data values until all data elements have been entered or selected. Then, the Creating File dialog displays. 7.
When the acquisition is complete, click OK. The LinEn main window displays. The subject has been acquired and is stored on the storage drive. 8.
Connect the storage drive to investigatorʹs machine. 9.
Add the EnCase evidence file using the Sessions Sources page of the Add Device Wizard, as described in Completing the Sessions Sources Page
54
EnCase Forensic Version 6.11 Userʹs Guide
EnCase applications can detect and image DCO and/or HPA areas on any ATA‐6 or higher‐level disk drive. These areas are detected using LinEn (Linux) or the FastBloc SE module. EnCase applications running in Windows with a hardware write blocker will not detect DCOs or HPAs. The application now shows if a DCO area exists in addition to the HPA area on a target drive. FastBloc SE is a separately purchased component. HPA is a special area located at the end of a disk. It is usually configured so the casual observer cannot see it, and can only be accessed by reconfiguring the disk. HPA and DCO are extremely similar; the difference is the SET_MAX_ADDRESS bit setting that allows recovery of a removed HPA at reboot. When supported, EnCase applications see both areas if they coexist on a hard drive. For more information, see the EnCase Modules Manual.
If the Linux distribution supports ATA mode, you will see a Mode option. The mode must be set before the disk is acquired. An ATA disk can be acquired via the drive‐to‐drive method. The ATA mode is useful for cases when the evidence drive has a host protected area (HPA) or drive control overlay (DCO). Only Direct ATA Mode can review and acquire these areas. LinEn is configured as described in LinEn Setup, and autofs is disabled (unchecked). Linux is running in Direct ATA Mode.
1.
If the FAT32 storage partition to be acquired has not been mounted, mount the FAT32 storage partition. 2.
The LinEn Main Screen displays. 3.
Select Mode, then select Direct ATA Mode. The disk running in ATA mode can now be acquired. 4.
Using LinEn.
Yüklə 2,21 Mb. Dostları ilə paylaş:
|