You are currently browsing the Forensics category
Displaying 1 - 3 of 3 entries.

LISA Prerequisites

  • Posted on January 1, 2016 at 15:34

Super Quick Start Guide II: LISA

# pacman -Sy perl-dbd-pg
# cpan
cpan> install Filesys::Df
cpan> install Filesys::DiskFree
cpan> install Filesys::Path
cpan> install Config::Simple
cpan> install Email::Send::SMTP::TLS
cpan> install Email::Simple

File names:

  • Transponder: lisa-bot-1.5.pl
    Call: ./transponder/lisa-bot-1.5.pl 3
  • Heartbeat Share Checker: lh-sharechecker-1.8.pl
    Call: .heartbeat//lh-sharechecker-1.8.pl –runmode=3 –interval=60
  • Acquire Storage Device: lisa-dn-acquire-storage-device-1.3.1pl
    Call: ./bootdisk/lisa-dn-acquire-storage-device-1.3.1pl 3
  • Acquire Computer: ls-dn-acquire-computer-1.4.0.pl
    Call: ./bootdisk/lisa-dn-acquire-computer-1.4.0.pl 3

 

Deduplicating: EWF vs Raw

  • Posted on August 4, 2015 at 14:24

Is ‘good old’ Expert Witness Format still the preferred choice?

In the recent years huge centralized storage has become pretty much a standard everywhere. And pretty much everywhere EWF has become standard for forensics imaging.
I wonder if this is still the most optimal combination from the perspective of storage-efficiency.

How does deduplicating perform on ewf-images compared to raw? In fact, my assumption is: The more raw images saved to a deduplicating volume, the more efficient duplicating will do its job.

 

Let’s bring them to the test!

EnCase
After booting up with a Windows 7 machine, I imaged the boot disk using EnCase 6. (run 1)
Immediately after, I initiated a second acquisition using the same EnCase session (run 2)
All settings for acquisition are kept to default, using ‘Good compression’ and a split size of 640MB.

FTK Imager
After EnCase finished both acquisition sessions successfully, I started two acquisition sessions with FTK Imager using the same approach: Start one, When it runs, start session number two.

FTK: “Runtime error” on raw-image

  • Posted on January 11, 2011 at 23:07

Today we discovered some strange behavior of Forensic ToolKit opening a raw image.

We use different software to acquire evidence:

  1. rdd-copy (my favorite)
  2. FTK Imager
  3. Tableau IMager

Description
Fortunately we now only use uncompressed raw images*. And depending on the situation we create them with one of the above mentioned tools. For some strange reason FTK crashed immediately after adding a raw image made by rdd-copy. My colleague appeared to be so patient and eager to find the reason for this strange behavior that he acquired that same harddrive again. Even though rdd-copy didn’t report any errors on the device! And this time he used Tableau IMager….

After all that was done, he added the raw-image, made by Tableau IMager, to the case… And to our big surprise: It worked flawlessly! And it got even more strange when we checked the hashes, The MD5s were the same! Go figure…

Cause
The extension! WTF! Our default choice for an evidence-extension is .IMG. (Works pretty nice with OS X)
And this was causing that runtime error!

Remedy
We changed .IMG to .DMG. Keeping the powerful functions of OS X available.
Everybody happy.

*If you want discussions about EnCase Evidencefiles again,
If you honestly really don’t know why not,
Or if you just want to make me mad,
Send an email to ‘whatssodamnhorribleaboutencaseevidencefiles@krujs.nl