Tuesday, July 23, 2013

Daily Blog #30: Go Bag Part 5

Hello Reader,
             Another day another blog, I should have started this one last night but Civilization 5's Brave New World expansion is out, and it's really good. I am going to try to finish the Go Bag series before moving on to 'web 2.0 forensics' and dealing with JSON fragments. In other news I'm reaching out to more companies I like that provide forensic products I use that want to provide prizes for the Sunday Funday contests. I'm happy to announce that Paraben is offering free tickets to the PFIC conference. The first of them, a $399 ticket,  will be given away this Sunday to the best answer to make sure to pencil in some time on Sunday if you are interested. I'll be speaking there as well some other very talented DFIR pros and the conference is a great deal of fun, and its held in a ski resort!

The system is a NAS - You've imaged the systems the custodian used but are then informed that his network data is on a NAS

Note: Remember that most NAS's are not windows embedded systems and thus will likely not have the same file system internally that the custodian was using. This means the custodians computer will treat the underlying file share as it would any windows network file share but what file system metadata actually gets recorded (change versus recorded time stamps for instance) depends on what file system the NAS has formatted the volume to do be.

There are three different types of NAS systems you'll commonly encounter:

1. The consumer grade NAS
These devices typically have a couple of drives internally and run embedded linux. Some of these will just have one drive. You can either remove the drive and image it or in some models attach it to your imaging laptop via USB. The important part here is that you realize there is a difference between what the NAS exposes and what you can acquire. 

Logically imaging the network drive - This will allow you to capture in a forensic container all of the data as its currently seen within the NAS. However, what it will not allow you to do is acquire any of the deleted data or free space of the disk as the NAS will only be providing you with a logical view of the file system. If your case does not mandate deleted data 

Physically imaging the drives - typically consumer grade NAS systems don't have iSCSI so i'll leave that option out of this section. You will have two options at this point, you can remove the drives from the NAS and image them (for many models this is easy as they are meant to be swapped out) or if you are luck and there is a USB port you can attach the NAS to your system for imaging. Remember to use a USB write blocker (software or hardware) to prevent writing to the drives.

2. The small business NAS
Small business NAS's typically have more features but lack the USB option for direct connection. What feature they will typically add though is iSCSI. iSCSI allows you to present the local physical disk to another system over the network, this is how f-response provides access to remote disks (but they do so in a read only fashion). If you can create an iSCSI connection then you can get the physical image you want using any tool that you have on your forensic workstation, if your going to do this i would recommend doing it in Linux or WinFE to prevent the system from touching the disk as I'm not aware of a iSCSI write blocking solution outside of f-response.

If iSCSI is not available then look at the other two options listed to determine what you have available to you.

3. The enterprise NAS
Enterprise NAS systems like those from NetApp may or may not have an iSCSI function but what they typically do have is some type of maintenance connection giving you a command shell on the local system. With these systems I typically will acquire the data logically and then log into the command shell and run dd locally and output the data to my collection system via a netcat listner. This isn't fast but when you get to proprietary systems it may become the only way to get the data out. 

If i can actually load a utility onto the box for execution f-response is a great option here.

If you want system logs or data you can also logically take the contents of the running NAS out over a netcat listener this way as well. 

Time to put together my notes and see whats left for this series before moving on. Have questions about handling onsite imaging situations? Ask them in the comments!