In civil cases, one of the common practices is to copy loose files when forensic imaging can't be applied. Especially, you need to collect shared data on server where is at remote site. However, we still need to preserve the metadata of the files such as the MAC times. Robocopy is a command utility which is built-in in Windows Vista/7 that can provide significant functions. Here is an overview of the parameters -- http://technet.microsoft.com/en-us/library/cc733145.aspx.
In Forensic field, there are so many ways to achieve your objectives - using commercial products or open source tools. No matter how, I prefer to find the most effective way and get the work done immediately. Not only your clients will be happy with your services, but also you do balance your work and life. Right, this is how we need to work smart.
Of course, it's important that you prepare well and test everything before going to client's site. To do so, it increases your confident index.
Let's go back to "Robocopy" and take Windows 7 environment as an example.
Server: \\fileserver\projects\
Source folder: \\fileserver\projects\accounting_data
Target drive (new wiped drive and formatted as NTFS with USB interface connected): N: drive
1. On your forensic workstation running Windows 7, you can map the path \\fileserver\projects\accounting_data to a letter drive (e.g. M:\) on Windows explorer with domain credentials. The best is to map with administrative rights so that you ensure no barrier when duplicating the data/files.
2. Run "Command Prompt" as an administrator.
3. Test whether robocopy is present - C:\>robocopy /? - it shows all parameters of robocopy. If not present, IT's best friend - google it, download it, and test it.
4. Run the command "C:\>robocopy M: N: /S /ZB /COPY:DAT /R:0 /W:0 /FP /NP /LOG+:"N:\accounting_data.log" (read the link above to understand why we use the parameters).
5. Double-click "Enter" few times and wait. Once Robocopy completes, drive letter of where you are will prompt. You can check the log (N:\accounting_data.log) with wordpad or favorite editor if list of files is copied and errors are recorded.
Note that your target drive (N: drive) contains all copied data from fileserver. DO NOT open, access, browse, and click the N: drive. Kindly disconnect the USB interface from the Windows forensic workstation.
If you do want to read the files, connect the target drive to Windows forensic workstation via hardware write-blocker such as WiebeTECH or Tableau. To do so, that avoids any modification to the data on target drive.
When the time is available, running forensic tools such as EnCase Imager, EnCase, X-Ways Forensics image files from the target drive to E01 (expert witness format) or L01 (logical evidence format).
Hope this helps and Good Luck!
No comments:
Post a Comment