The problem:
One of our computer's security has been compromised by someone. I know they created themselves an account but not much else, as I have not been snooping around as I want to protect the "evidence".
So in order for me to start doing forensics, I need to clone the drive. There are two requirements here: 1) The solution does not affect any data on the clone or the original. 2) The solution must also clone "empty" space from the original drive to the new clone. (want to be able to recover any deleted items)
I have been looking into clonezilla, but am afraid that the default settings do not meet the requirements. Can someone provide a solution with the appropriate settings to meet the requirements?
http://www.osforensics.com/tools/create-disk-images.html
OSFClone is a free, self-booting solution which enables you to create or clone exact raw disk images quickly andindependent of the installed operating system. In addition to raw disk images, OSFClone also supports imaging drives to the open Advance Forensics Format (AFF). AFF is an open and extensible format to store disk images and associated metadata. An open standard enables investigators to quickly and efficiently use their preferred tools for drive analysis. After creating or cloning a disk image, you can mount the image with PassMark OSFMount before conducting analysis withPassMark OSForensics™.
OSFClone creates a forensic image of a disk, preserving any unused sectors, slack space, file fragmentation and undeleted file records from the original hard disk. Boot into OSFClone and create disk clones of FAT, NTFS and USB-connected drives! OSFClone can be booted from CD/DVD drives, or from USB flash drives.
OSFClone can create disk images in the dc3dd format. The dc3dd format is ideal for computer forensics due to its increased level of reporting for progress and errors, and ability to hash files on-the-fly.
Verify that a disk clone is identical to the source drive, by using OSFClone to compare the MD5 or SHA1 hash between the clone and the source drive. After image creation, you can choose from a range of compression options to reduce the size of the newly created image, increasing portability and saving disk space.
Use OSFClone to save forensic meta-data (such as case number, evidence number, examiner name, description and checksum) for cloned or created images.
You cannot give the clone any network access (including access to the Internet), if it has the same IP as the original server and the original is also on the network (as read-only).
Having two servers with the same DNS or NetBIOS names on the same network should be avoided as well.
When the clone is complete, edit the settings for the VM and make sure the Connect options are disabled. Keep the machine off the network until you change at least its IP address.
You can manage/fix/correct the VM via its console. You can change its name and IP address there. Be careful, as you're likely to destroy the trust relationship between the original server and the domain while working on the clone. You may have to take steps to reestablish that (moving the server to a workgroup and then back to the domain, with reboots as required.)
I just did this with 2 systems, but on Hyper-V.
I don't know if this applies to VMware, but on Hyper-V, doing a P2V of the 2003 system brings over not only the IP, but also the MAC addresses of the NICs as well. So, even if you change name and IP, it can still bite you.
If the source server is on the domain, you can remove the clone from the domain and change its name. You can't change it when it's connected to the domain because you can't connect it without a conflict. Ensure that you have created and tested a local admin account.
In Hyper-V, you can delete the NICs and add new ones to get new MACs - or just change them directly in the settings.
After checking the MACs, changing the name, and changing the IP, you can put the server online. UNLESS the processes on the server are set up to do something. For example, our time and attendance software server was programmed to pull data from the time clocks. When the clone woke up, it grabbed the punches because no one had told it that it wasn't the real server.
If you need Internet access, your best bet is to create a separate network and go out through a different path that your internal network. If you have a public wi-fi, send it out that connection, for example.
51 Replies
http://www.osforensics.com/download.html
that is one.
another is to use something that can do a RAW clone, which copies things sector by sector.
but by doing anything to the machine it has already been changed from the hackattack.
@Greg
I could possibly use those, with approval from the uppers. However, I would like to learn towards a freeware/open source solution. I heard DriveImage XML 2.42 is very close to Symantec and Acronis and comes with Hiren's boot CD. Have you heard of this tool before?
I could possibly use those, with approval from the uppers. However, I would like to learn towards a freeware/open source solution. I heard DriveImage XML 2.42 is very close to Symantec and Acronis and comes with Hiren's boot CD. Have you heard of this tool before?
I've heard that DriveImage XML is good, but never used personally.
What about ReDo? Another option that I can think of is Parted Magic, which is found in both Hiren's Boot CD and Ultimate Boot CD.
is ReDo on the Hiren's CD? I have used parted magic to get to clonezilla before. I understand it has multiple utilities. to which are you referring?
Redo is it's own software and not on Hiren's. I "think" you can copy the partitions with Parted Magic.
I am cloning to an external hard drive. Do you know if the defaults on clonezilla use dd first? (i think it has a couple of different protocols it tries). Does it provide write protection? (wont change original disc) and can it find "empty" space?You can not clone to a DVD and retain empty space. You need a disk the exact size or larger.
You want a byte by byte clone so clonezilla or P.I.N.G. are good options. They use Linux dd command which does exactly that.
If you're worried about cloning the free space and whatnot, why not just clone to a new HDD and then swap the two drives around so that you could do a forensic examination of the original source drive while still allowing the computer to be used with the clone drive?
That's basically what I am getting at. I just need to ensure that I am clonign right before I attempt it or I could ruin the data.
Clonezilla is a partition and disk imaging/cloning program similar to True Image® or Norton Ghost®. It helps you to do system deployment, bare metal backup and recovery. Two types of Clonezilla are available, Clonezilla live and Clonezilla SE (server edition). Clonezilla live is suitable for single machine backup and restore. While Clonezilla SE is for massive deployment, it can clone many (40 plus!) computers simultaneously. Clonezilla saves and restores only used blocks in the harddisk
- Filesystem supported: (1) ext2, ext3, ext4, reiserfs, reiser4, xfs, jfs, btrfs of GNU/Linux, (2) FAT12, FAT16, FAT32, NTFS of MS Windows, (3) HFS+ of Mac OS, (4) UFS of FreeBSD, NetBSD, and OpenBSD, (5) minix of Minix, and (6) VMFS3 and VMFS5 of VMWare ESX. Therefore you can clone GNU/Linux, MS windows, Intel-based Mac OS, FreeBSD, NetBSD, OpenBSD, Minix and VMWare ESX, no matter it's 32-bit (x86) or 64-bit (x86-64) OS. For these file systems, only used blocks in partition are saved and restored. For unsupported file system, sector-to-sector copy is done by dd in Clonezilla.
http://hddguru.com/software/HDD-Raw-Copy-Tool/
Developer: HDDGURU.COM
License terms: Freeware
The tool creates a sector-by-sector copy of all areas of the hard drive (MBR, boot records, all partitions as well as space in between). HDD Raw Copy does not care about the operating system on the drive – it could be Windows, Linux, Mac, or any other OS with any number of partitions (including hidden ones). Bad sectors are skipped by the tool.
In addition, HDD Raw Copy can create an exact raw (dd) or compressed image of the entire media (including service data such as MBR, Boot records, etc). Again, all filesystems (even hidden) are supported.
Examples of possible uses
- Data recovery: make a copy of the damaged drive to attempt recovery on the copy
- Data recovery: copy a damaged hard drive and skip bad sectors
- Migration: completely migrate from one hard drive to another
- Ultimate backup: Make an exact copy of the hard drive for future use
- Backup: create an image of a USB flash stick and copy/restore at any moment
- Software QA engineers: restore your OS hard drives at any moment from a compressed image
- Duplicate/Clone/Save full image of any type of media!
http://hddguru.com/software/HDD-Raw-Copy-Tool/
Developer: HDDGURU.COM
License terms: Freeware
The tool creates a sector-by-sector copy of all areas of the hard drive (MBR, boot records, all partitions as well as space in between). HDD Raw Copy does not care about the operating system on the drive – it could be Windows, Linux, Mac, or any other OS with any number of partitions (including hidden ones). Bad sectors are skipped by the tool.
In addition, HDD Raw Copy can create an exact raw (dd) or compressed image of the entire media (including service data such as MBR, Boot records, etc). Again, all filesystems (even hidden) are supported.
Examples of possible uses
- Data recovery: make a copy of the damaged drive to attempt recovery on the copy
- Data recovery: copy a damaged hard drive and skip bad sectors
- Migration: completely migrate from one hard drive to another
- Ultimate backup: Make an exact copy of the hard drive for future use
- Backup: create an image of a USB flash stick and copy/restore at any moment
- Software QA engineers: restore your OS hard drives at any moment from a compressed image
- Duplicate/Clone/Save full image of any type of media!
You're providing some great information here. Do you know if this tool has "write protection"? (i.e. does not change original at all)