Under perfect circumstances, we, as law enforcement forensic examiners, seize computers from their locations, return to our offices, remove the hard drives, image them, and perform exams using a wide range of tools. However, our world is rarely perfect, and circumstances require that we have a certain amount of flexibility. There are times when doing things this way is not possible, and you have to be prepared to change your SOP and obtain the evidence you need under less-than-optimal conditions.
In some situations, specifically when the drive is encrypted, you can’t shut down the computer without losing the evidence. Or, if the machine is a server, taking down the entire network may not be possible (or, at least, undesirable). None of us wants to be the subject of a civil case for shutting down a business.
Fortunately, there is a way to make an image of a running machine, and it requires no specialized (or expensive!) equipment. The first thing you’ll need is an external hard drive (large enough to contain the image), probably USB, that can be attached to the machine. The second item is a thumb drive. And the third is a great little utility from AccessData called FTK Imager Lite. This is a free (yay!) download, and runs right from the thumb drive. Download it, unzip it to the thumb drive, and you’re ready to go.
On-scene, attach the external drive, and insert the thumb drive. Navigate to the thumb drive, and start FTK Imager. The software is easy to use, and makes the entire process a breeze. You first direct the imager to create an image file. The software gives you the opportunity to select the source of the image, which can be a physical drive, a logical drive, an image file, contents of a folder, or a Fernico device. Primarily, you will be choosing a physical drive, but the other options may come in handy in specific circumstances. You are then given a drop-down menu which lists the drives located on the machine, including the drive number and a brief description of the manufacturer, type and size of each drive. After you select your source drive, you will be asked what type of image file you would like to create, Raw(dd), Smart, or E01. You then input specific case information, such as the case number, examiner’s name, and evidence number, and then select a destination and name for the image. Obviously, the destination should be the external drive you have already attached to the machine. Additionally, the imager will allow you to choose the level of compression you want for the image from 0 (none) to 9 (smallest, and slowest). From there, you start the imaging process, and sit back to wait.
Obviously, one of the downsides to imaging a machine this way is that you have to sit at the site and wait for the image to finish, which could end up taking several hours. But if circumstances demand that the machine not be taken out of service, this is a good way to get an image to examine. Plus, maybe you’ll earn yourself a little overtime, watching the progress bar.
Once you get back to the office, you can examine the image using your tool of choice, depending on what type of image file you created.
There is obviously no way to avoid making small changes to the system you are imaging using this method. Attaching the thumb drive that you are running the imager from, as well as the external drive you are imaging to, will make changes in the registry, and the imager will make changes to the RAM and the pagefile. But these changes can be logically explained and defended, given the circumstances that required you to make this image on-scene rather than in the lab. Just be aware that you may, at some point, be asked to articulate why it was necessary to do so.
I have used this method to make images of running machines on more than one occasion, and it made what could have been a very sticky situation easy as could be.
|
|
