Forensic disk acquisition over the network
In some occasions you need to acquire an image of a computer using a boot disk and network connectivity.
Usually, this approach is made with a Linux boot disk on the machine under analysis, and another computer used as imaging collection platform, connected via a network hub or through a crossover cable.
The reasons this approach could be related to level of physical access to the hardware or interface issues to local resources: for example, you might come across a machine that has a drive interface that is incompatible with your equipment and without USB port.
Where possible, I suggest to use a crossover cable, in order to ensure security and integrity of th data.
The setup
In order to accomplish imaging across the network, we will need to setup a collection box to “listen” for data from target box. We do this using netcat.
Once you have the target computer booted with a Linux Boot CD (here my distro shortlist) you’ll need to ensure the two computers are configured on the same network, and can communicate.
So, once the two boxes are connected with a cross cable, you need to configure the network, using the ifconfig command (or the most recent ip).
On the acquisition box:
ifconfig eth0 192.168.0.1 netmask 255.255.255.0
or using ip command:
ip address add 192.168.0.1/24 dev eth0
And on the target machine:
ifconfig eth0 192.168.0.2 netmask 255.255.255.0
or using ip:
ip address add 192.168.0.2/24 dev eth0
The acquisition
Now that we have both computers talking, we can start the imaging process. First check the hash of the subject disk:
sha1sum /dev/sda
Then, the next step is to open a “listening” port on the acquisition computer.
We will do this with netcat (in this case we are using an external USB drive mounted on /mnt/evidences):
nc -l -p 8888 | dd of=/mnt/evidences/forensic_image.raw
The command opens a listening session (-l) on TCP port 8888 (-p 8888) and pipes any traffic that comes across that port to the dd command which writes the datastream on /mnt/evidences/forensic_image.dd.
Then, on the target computer we issue the dd command: instead of giving the command an output file parameter using of=, we pipe the dd command output to netcat and send it to our listening port (8888) on the acquisition computer at IP address 192.166.0.1:
dd if=/dev/sda | nc 192.168.0.1 8888
Finally, after we receive our completion messages from dd on both boxes (records in / records out), we can kill the nc listening on the acquisition box with a simple ctrl+c.
This should return to prompt on both sides of the connections.
You should check both the hash of the physical disk that was imaged on the target computer and the resulting image on the acquisition box to se if they match:
sha1sum /mnt/evidence/forensic_image.raw
If the hashes match, the acquisition was successful.