by Chetan Gupta, NII Consulting
How many times in an investigation does a forensic investigator come across the problem of acquiring data from a suspect’s laptop? The answer to this question would be ‘many times’. Whenever such a situation arises, the investigator is usually in a dilemma as to whether he should open the laptop, take out the hard disk, connect it to IDE-to-USB converter and then perform the duplication or should he try to do it without opening the laptop. The preferrable choice usually is the latter one in which the investigator acquires the suspect disk over the network. Choosing the first option could lead to the laptop/hard disk getting damaged or the warrantly of the laptop being rendered void.
Now, the question is how would an investigator perform the imaging through the network?
Well, lets see what all he requires:
- A bootable Linux distribution such as Helix, Knoppix-STD, PenguinSleuth, etc.
- A cross cable to connect the forensic workstation with the laptop
The beauty of this method is that the investigator can achieve fast duplication of the suspect media without spending a penny!
So, the scenario would be something like this:
The suspect laptop is booted with a live Linux distribution. The forensic workstation is running under Linux operating system. Both the machines are connected with a Ethernet cross cable. For the purpose of clarity, the investigator creates a directory called ‘evidence’ under
/mnt/ to store the image file. He would ensure that there is enough space on the disk to store the image file. To analyze the rate of data transfer between the suspect’s laptop and the forensic workstation, the investigator would have installed a utility called Pipebench.
Pipebench is an amazing utility that shows the current throughput and amount of data going through a pipe. Usually when we run a command which includes two communicating processes that exchange data and may take forever to complete, we need a mechanism to know how much data is passing from one end to another. Pipebench measures the speed of a pipe, by sitting in the middle passing the data along to the next process. It works on most flavours of Unix. Pipebench is available here.
The investigator would then create a ‘netcat’ listener on a randomly chosen port (usually above 1024) and issue the following command at his workstation:
nc -l -p #any random port#|gunzip|pipebench > /mnt/evidence/image.dd
The suspect laptop is running a Linux distribution from the live cd. The investigator would opena terminal and issue the following command.
dd if=/dev/hda|gzip --fast|nc #ip address of the forensic workstation# #port number on which netcat is listening#
And we are done! The investigator can monitor the data transfer rate on the forensic workstation. After the image transfer, the investigator can verify the image using md5sum or sha1sum in the following manner:
On the Forensic Workstation
md5sum -b /mnt/evidence/image.dd > /mnt/evidence/image.dd.md5
nc -l -p #any random port# > /mnt/evidence/suspect.hda.md5
On the Suspect Laptop
md5sum -b /dev/hda | nc #ip address of the forensic workstation# #port number on which netcat is listening#
Now, on the Forensic Workstation, the investigator would compare the two files using standard utility
diff image.dd.md5 suspect.hda.md5
If the following output is returned, the image is a bit-by-bit replica of the suspect disk.
0 No differences were found.
In our personal experience, we have seen upwards of 30Mb/s data transfer rates through a 100 Mbps LAN connection.