Forensic disk acquisition over the network

In some occasions you need to acquire an image of a computer using a boot disk and network connectivity.

Usually, this approach is made with a Linux boot disk on the machine under analysis, and another computer used as imaging collection platform, connected via a network hub or through a crossover cable.

The reasons this approach could be related to level of physical access to the hardware or interface issues to local resources: for example, you might come across a machine that has a drive interface that is incompatible with your equipment and without USB port.

Where possible, I suggest to use a crossover cable, in order to ensure security and integrity of th data.

The setup

In order to accomplish imaging across the network, we will need to setup a collection box to “listen” for data from target box. We do this using netcat.

Once you have the target computer booted with a Linux Boot CD (here my distro shortlist) you’ll need to ensure the two computers are configured on the same network, and can communicate.

So, once the two boxes are connected with a cross cable, you need to configure the network, using the ifconfig command (or the most recent ip).

On the acquisition box:

ifconfig eth0 netmask

or using ip command:

ip address add dev eth0

And on the target machine:

ifconfig eth0 netmask

or using ip:

ip address add dev eth0

The acquisition

Now that we have both computers talking, we can start the imaging process. First check the hash of the subject disk:

sha1sum /dev/sda

Then, the next step is to open a “listening” port on the acquisition computer.
We will do this with netcat (in this case we are using an external USB drive mounted on /mnt/evidences):

nc -l -p 8888 | dd of=/mnt/evidences/forensic_image.raw

The command opens a listening session (-l) on TCP port 8888 (-p 8888) and pipes any traffic that comes across that port to the dd command which writes the datastream on /mnt/evidences/forensic_image.dd.

Then, on the target computer we issue the dd command: instead of giving the command an output file parameter using of=, we pipe the dd command output to netcat and send it to our listening port (8888) on the acquisition computer at IP address

dd if=/dev/sda | nc 8888

Finally, after we receive our completion messages from dd on both boxes (records in / records out), we can kill the nc listening on the acquisition box with a simple ctrl+c.

This should return to prompt on both sides of the connections.

You should check both the hash of the physical disk that was imaged on the target computer and the resulting image on the acquisition box to se if they match:

sha1sum /mnt/evidence/forensic_image.raw

If the hashes match, the acquisition was successful.


2 Replies to “Forensic disk acquisition over the network”