I learned in forensics you can deploy an agent to a remote computer and have it retrieve an exact copy of the remote hard drive, including unallocated space and swap, even while it is being used. This copy gets sent to your pc over the internet by the agent and then you can work on it on your pc.

An example of such software is EnCase.

However, I dont understand how this is possible. If the computer is being used aren't some parts of it innacessible, such as the file with the SAM hashes in Windows? Or what if changes are made to files while the agent is copying them?

1

3 Answers

You don't.

There are actually two schools of thought in regard to forensic disk imaging.

The oldschool method was to unplug the PC immediately, and image the drive in that state, to ensure that nothing got changed. It also assured a certain degree of plausible deniability...

And that didn't really work too well the moment folks realised you could encrypt a drive with a password.

While live forensic capture doesn't ensure that nothing at all is ever altered, with proper logging, you know what the examiner has done. It's also handy since if the suspect hasn't locked his system you can probably get enough data copied out to work out what's happening.

I learned in forensics you can deploy an agent to a remote computer and have it retrieve an exact copy of the remote hard drive, including unallocated space and swap, even while it is being used. This copy gets sent to your pc over the internet by the agent and then you can work on it on your pc.

Feels like you're confusing both processes - you'd either run an agent and other tools on a livedisk, or pull the hard drive to image in the 'traditional' methods, or use live tools, or good old investigative work on a running system. You can't really get a proper forensic duplicate on a running system.

EnCase, for example, lets you work on a VHD or VMDK made with another tool - but you aren't going to run it directly on a system being investigated.

The goal isn't to create a perfect image of the drive, but a reasonable copy of the important data, that is, user data. If the drive is accessed using low-level disk commands, not file system commands it can workaround issues such as file locks and open files. But those are likely OS files not user data. The bottom line is that the data you are interested in is usually at rest on the disk even when the system is running.

1

Yes, In some cases you have to have a physical link to the device, and permission. If not you will need hash sets and a court order. Careful.. this is wiretapping

5

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy