@night 1803 access accessdata active directory admissibility ads aduc aim aix ajax alissa torres amcache analysis anjp anssi answer key antiforensics apfs appcompat appcompatflags applocker april fools argparse arman gungor arsenal artifact extractor attachments attacker tools austin automating automation awards aws azure azuread back to basics backstage base16 best finds beta bias bitcoin bitlocker blackbag blackberry enterprise server blackhat blacklight blade blanche lagny book book review brute force bsides bulk extractor c2 carved carving case ccdc cd burning ceic cfp challenge champlain chat logs Christmas Christmas eve chrome cit client info cloud forensics command line computer forensics computername conference schedule consulting contest cool tools. tips copy and paste coreanalytics cortana court approved credentials cryptocurrency ctf cti summit cut and paste cyberbox Daily Blog dbir deep freeze defcon defender ata deviceclasses dfa dfir dfir automation dfir exposed dfir in 120 seconds dfir indepth dfir review dfir summit dfir wizard dfrws dfvfs dingo stole my baby directories directory dirty file system disablelastaccess discount download dropbox dvd burning e01 elastic search elcomsoft elevated email recovery email searching emdmgmt Encyclopedia Forensica enfuse eric huber es eshandler esxi evalexperience event log event logs evidence execution exfat ext3 ext4 extended mapi external drives f-response factory access mode false positive fat fde firefox for408 for498 for500 for526 for668 forenisc toolkit forensic 4cast forensic lunch forensic soundness forensic tips fraud free fsutil ftk ftk 2 full disk encryption future gcfe gcp github go bag golden ticket google gsuite guardduty gui hackthebox hal pomeranz hashlib hfs honeypot honeypots how does it work how i use it how to howto IE10 imaging incident response indepth information theft infosec pro guide intern internetusername Interview ios ip theft iphone ir itunes encrypted backups jailbreak jeddah jessica hyde joe sylve journals json jump lists kali kape kevin stokes kibana knowledgec korman labs lance mueller last access last logon leanpub libtsk libvshadow linux linux-3g live systems lnk files log analysis log2timeline login logs london love notes lznt1 mac mac_apt macmini magnet magnet user summit mathias fuchs md viewer memorial day memory forensics metaspike mft mftecmd mhn microsoft milestones mimikatz missing features mlocate mobile devices mojave mount mtp multiboot usb mus mus 2019 mus2019 nccdc netanalysis netbios netflow new book new years eve new years resolutions nominations nosql notifications ntfs ntfsdisablelastaccessupdate nuc nw3c objectid offensive forensics office office 2016 office 365 oleg skilkin osx outlook outlook web access owa packetsled paladin path specification pdf perl persistence pfic plists posix powerforensics powerpoint powershell prefetch psexec py2exe pyewf pyinstaller python pytsk rallysecurity raw images rdp re-c re-creation testing reader project recipes recon recursive hashing recycle bin redteam regipy registry registry explorer registry recon regripper remote research reverse engineering rhel rootless runas sample images san diego SANS sans dfir summit saturday Saturday reading sbe sccm scrap files search server 2008 server 2008 r2 server 2012 server 2019 setmace setupapi sha1 shadowkit shadows shell items shellbags shimcache silv3rhorn skull canyon skype slow down smb solution solution saturday sop speed sponsors sqlite srum ssd stage 1 stories storport sunday funday swgde syscache system t2 takeout telemetry temporary files test kitchen thanksgiving threat intel timeline times timestamps timestomp timezone tool tool testing training transaction logs triage triforce truecrypt tsk tun naung tutorial typed paths typedpaths uac unc understanding unicorn unified logs unread usb usb detective usbstor user assist userassist usnjrnl validation vhd video video blog videopost vlive vmug vmware volatility vote vss web2.0 webcast webinar webmail weekend reading what are you missing what did they take what don't we know What I wish I knew whitfield windows windows 10 windows 2008 windows 7 windows forensics windows server winfe winfe lite wmi write head xboot xfs xways yarp yogesh zimmerman zone.identifier

Daily Blog #30: Go Bag Part 5

Hello Reader,
             Another day another blog, I should have started this one last night but Civilization 5's Brave New World expansion is out, and it's really good. I am going to try to finish the Go Bag series before moving on to 'web 2.0 forensics' and dealing with JSON fragments. In other news I'm reaching out to more companies I like that provide forensic products I use that want to provide prizes for the Sunday Funday contests. I'm happy to announce that Paraben is offering free tickets to the PFIC conference. The first of them, a $399 ticket,  will be given away this Sunday to the best answer to make sure to pencil in some time on Sunday if you are interested. I'll be speaking there as well some other very talented DFIR pros and the conference is a great deal of fun, and its held in a ski resort!

The system is a NAS - You've imaged the systems the custodian used but are then informed that his network data is on a NAS

Note: Remember that most NAS's are not windows embedded systems and thus will likely not have the same file system internally that the custodian was using. This means the custodians computer will treat the underlying file share as it would any windows network file share but what file system metadata actually gets recorded (change versus recorded time stamps for instance) depends on what file system the NAS has formatted the volume to do be.

There are three different types of NAS systems you'll commonly encounter:

1. The consumer grade NAS
These devices typically have a couple of drives internally and run embedded linux. Some of these will just have one drive. You can either remove the drive and image it or in some models attach it to your imaging laptop via USB. The important part here is that you realize there is a difference between what the NAS exposes and what you can acquire. 

Logically imaging the network drive - This will allow you to capture in a forensic container all of the data as its currently seen within the NAS. However, what it will not allow you to do is acquire any of the deleted data or free space of the disk as the NAS will only be providing you with a logical view of the file system. If your case does not mandate deleted data 

Physically imaging the drives - typically consumer grade NAS systems don't have iSCSI so i'll leave that option out of this section. You will have two options at this point, you can remove the drives from the NAS and image them (for many models this is easy as they are meant to be swapped out) or if you are luck and there is a USB port you can attach the NAS to your system for imaging. Remember to use a USB write blocker (software or hardware) to prevent writing to the drives.

2. The small business NAS
Small business NAS's typically have more features but lack the USB option for direct connection. What feature they will typically add though is iSCSI. iSCSI allows you to present the local physical disk to another system over the network, this is how f-response provides access to remote disks (but they do so in a read only fashion). If you can create an iSCSI connection then you can get the physical image you want using any tool that you have on your forensic workstation, if your going to do this i would recommend doing it in Linux or WinFE to prevent the system from touching the disk as I'm not aware of a iSCSI write blocking solution outside of f-response.

If iSCSI is not available then look at the other two options listed to determine what you have available to you.

3. The enterprise NAS
Enterprise NAS systems like those from NetApp may or may not have an iSCSI function but what they typically do have is some type of maintenance connection giving you a command shell on the local system. With these systems I typically will acquire the data logically and then log into the command shell and run dd locally and output the data to my collection system via a netcat listner. This isn't fast but when you get to proprietary systems it may become the only way to get the data out. 

If i can actually load a utility onto the box for execution f-response is a great option here.

If you want system logs or data you can also logically take the contents of the running NAS out over a netcat listener this way as well. 

Time to put together my notes and see whats left for this series before moving on. Have questions about handling onsite imaging situations? Ask them in the comments!
Labels:

Post a Comment

[blogger][disqus][facebook][spotim]

Author Name

Contact Form

Name

Email *

Message *

Powered by Blogger.