Bit-level Imaging With Altiris


Oct 18, 2007
9
0
#1
I have a client who says he created a bit-level image of a laptop using Altiris. Apparently the laptop was booted into a WinPE environment and the bit-level replica was created over his network. I don't have much experience with Altiris or WinPE but do not like the idea that the machine was booted at all. If any of you are familiar with this acquisition method and can provide input as to what negatives might occur, I would appreciate your input.

Thank you.

John Grancarich
 

4n6art

New Member
Jun 27, 2008
201
0
#2
Taking a shot here....

Altris is now owned by Symantec
It seems like Altris is an Assent Management Program which is probably used by IT to sent patches and monitor user work. I presume IT can also power on the system using the Wake-On-LAN feature.

Symantec also owns Ghost. Some people use Ghost to create forensic images (yes, it can create a bit image *IF* the proper switches are used), but it is asking for trouble.

Not sure what WinPE does or whether it will write protect. Just seeing the word "WIN" on it screams - "access my drive and write a signature to it" LOL

Is it possible that they used the two pieces of Symantec software to create the image?

This was done PRIOR to your involvement. Moving fwd I would:
1. Get written documentation (report/supplement) from whomever created the image detailing what they did. You can not testify or state anything prior to your involvement - you would be asking for problems. THEY will have to write down what they did and how they did it.

2. If laptop is still available, YOU should reimage it. If client refuses, tell them you will start the report by saying you got "AN" image from the client who claimed it was the image of the laptop. You can not state the image actually belonged to the laptop if you did not do it.

3. If image is not available, start your report from receiving an image (best evidence perhaps?) and work your way in from there.

4. Smack the IT guy that did the image without your involvement - ok... just kidding about that one ;)

Not much you can do after the fact IF the laptop is not available - even if it is, you can't do much except report that you were given an image and then you re-imaged the laptop.

GOOD LUCK!

-=ART=-
 

Complete

Administrator
Aug 19, 2006
861
0
#5
As far as I know, WinPE is NOT forensically sound and will make writes to the drive. WinPE is the basis for BartPE and UBCD4Win and all those other Windows based live-cds. They're recovery disks that allow you make all sorts of changes to a Windows based file system.
 
Oct 18, 2007
9
0
#6
Thanks for the input. This is what I suspected, but there is not a significant amount of technical documentation available on WinPE and none that I could find on what specific drive modifications are created when booting to WinPE.

Regards,

John Grancarich
 

BA2LLB

New Member
Jul 31, 2008
192
0
#7
This is what I suspected, but there is not a significant amount of technical documentation available on WinPE and none that I could find on what specific drive modifications are created when booting to WinPE.
As an exercise and to learn exactly what specific drive modifications are made by WinPE, maybe you should consider running your own experiment on another disk by:

1. image the disk before doing anything else (use Helix)
2. boot the computer containing the disk as its first bootable device
(use WinPE)
3. (a) image the disk before shutting down the computer (use Helix)
(b) image the disk after shutting down the computer (use Helix)
4. compare the SHA checksums of the three images; are the checksums
created as part of 3(a) and 3(b) identical?
5. document any differences between the images from (1) and
(3a) and/or (3b)
 

Sha_d0h

New Member
Aug 31, 2008
111
0
#8
DO NOT USE WINPE
period end of discussion.. win pe does not exist in your mind...

Helix, and various other DD live cd's are build to specifically NOT write to the disk during imaging. they provide an md5 hash of the drive at conclusion of imaging.

Second you can even use ghost with the forensic switch see my post on this topic.

you MUST also image the drive with hardware writeblocking as well.. Tableau firefly weibetech etc...

you Cannot vouch for that image it could be from any computer in the world..

If the client refuses to reimage with the proper tools refuse the work...your integrity is worth more than some ceo's incompetence.
 

farmerdude

New Member
Jan 11, 2006
789
0
#9
various other DD live cd's are build to specifically NOT write to the disk during imaging
Some folks may understand what you're saying here. But for clarity, and so those not familiar with Linux and bootable Linux CDs, this is technically incorrect. I mean, just by virtue of what is said ... "build to specifically not write to the disk during imaging".

First - if they were built to not write to the disk then where are they writing to?

;)

It is important to fully write what is meant, I think. Because someone new or not familiar may read this and totally not understand what is meant. I think you meant that they will not write to the target system by default, but they absolutely will if you direct them to.

you MUST also image the drive with hardware writeblocking as well
I disagree. Can you explain why you stated this? Why must one use a hardware write blocker to acquire storage media?

Cheers!

farmerdude


www . forensicbootcd . com

www . onlineforensictraining . com
 

Sha_d0h

New Member
Aug 31, 2008
111
0
#10
hardware writeblocking is the ONLY way to assure your work and will hold up in court. if one does not follow forensic procedure you cannot guarantee your work. I have workrked for the 3 largest forensic firms in the world and 1. If you do not use hardware writeblocking of some kind you will be torn apart in court in cross examination.. Even "best practice" no longer holds.
apart from the obvious where there is a physical writeblock ie. floppies some removable media these items will not need it . however even the mfg2usb writeblock and writeblock xp do not writeblock everything only usb.. and some writeblock firewire.. spend the 100$ or so and get a firefly or tableau and be 100% sure of your work.
2. Apart from the helix and slackware cd's which have been designed not to specifically to write to the physical media but to remain in RAM these methods are tried and trusted.
3. Even the forensic manuals and Guidance Software reccomends to use some sort of physical write protection even though Encase has write protection built in.
4. I have successfully used ghost as an imaging tool when all ese has failed with a forensic switch and the fingerprint turned off. but the process would not hold up in court unless you had absolute proof that the aplication did not write to the disk....and i do not.

I only stated this because of the sheer lack of knowledge on winpe as a tool. its a great tool but NOT for forensics. I have been doing this far too long to use ANY tool that i cannot back up on the stand and testify to its ability to be a sound forensic tool. Encase and helix have already had precedents in supreme court and cannot be challenged unless the procedure was not done properly ie WRITE BLOCKING. Why not writeblocking?
 

farmerdude

New Member
Jan 11, 2006
789
0
#11
hardware writeblocking is the ONLY way to assure your work and will hold up in court
I disagree.

You're saying that putting a black box between you and your target is the only solution?

Have you completely tested the write blockers? Of course this is a trick question, because it's almost impossible.

As for creating doubt ... "So you're saying to the court that you used this hardware write blocker to make certain that you didn't change any data on the target drive, is this correct sir?"

"Yes, correct."

"Can you please tell the court how this device works?"

"It blocks writes so that nothing you do can alter the original drive."

"But how, sir. How does this device block writes?"

"Um, I don't know the full details, but there are write requests and these are blocked."

"Okay, so you're not 100% certain on how the device functions, is this correct?"

"Yes, not 100%".

"Was there anything unusual about this drive, sir?"

"What do you mean?"

"Oh, was the drive smaller than what the label read?"

"Oh yes! That was the HPA - host protected area."

"Can you tell us what the hpa - host protected area I think you said, is?"

"Sure. It's an area of the disk hidden from the operating system and user."

"You said hidden - if it's hidden how can it be seen?"

"Well, hardware tools, low level tools, can see it."

"Was there a HPA on this drive?"

"Yes"

"How did you ascertain this?"

"The tool I used to image the drive reported one."

"The tool - okay, so this tool saw a HPA, is this correct?"

"Yes, sir."

"Now, was the HPA acquired in your image?"

"Yes it was. The tool acquired everything."

"So you're telling us that the entire drive was imaged, is this correct?"

"Yes, sir."

"Now, earlier you stated that the HPA was hidden from the user."

"Yes, normal users can't see it. Forensic tools can. Some of them."

"So this tool was able to read all of the drive - how can that be - if part of it was hidden?"

"The tool resets the drive to be the full size, maximum allowed sectors."

"Maximum allowed sectors - I'll come back to that in a moment. For now, please tell the court how the drive was reset?"

"The tool passes a command to the drive to reset to maximum allowed sectors, the drive resets, and then the drive is acquired."

"Okay, you'll have to help me. I'm not a techie. Earlier you said you used a hardware write blocker that blocked all writes to the drive attached to it. But now you're saying somehow your forensic tool passed something, a command perhaps, through this write blocker, to reset the drive. Is this correct?"

"Um, yes. But it's only a reset command."

"A simple yes or now is all I've asked for, sir."

"Yes."

"Okay, so a write blocker allows at least one command to pass through it. Sir, are you aware of any other commands that are allowed to pass through the write blocker you used?"

"No. Not really. There may be more, but I don't know the specifics."

"That's good. No need to elaborate beyond yes or no. Thank you. So, would you say it is possible, given that this reset command you've referenced was allowed to pass through to the drive you acquired, that one or more other commands might also pass through?"

"It's possible."


I could go on, but I think the idea is put across.

You're putting an unknown device between you and your target. You're on a slippery slope.


To say on a forum for all to read that A) you must use a hardware write blocker and B) you'll be torn apart is a big disservice to folks who don't know better.

You don't have to use a hardware write blocker.

And, you won't be torn apart provided you have documented your steps and can articulate what you did, why, and the outcome.

There are _many_ devices and scenarios where a write blocking mechanism cannot be used. Given this, your statement would contradict each and every one of these.


THE FARMER'S BOOT CD (FBCD), Helix, PSK, etc., haven't been designed to specifically not write to physical media. I can only speak to FBCD, and say that it has been designed and configured in such a manner as to minimize any chance of auto-mounting of file systems and updating of superblocks (RAID arrays). The Linux forensic boot CDs attempt to not auto-mount recognized and supported file system types during startup and desktop initialization. But not all behave the same, and this is important.


Cheers!


farmerdude


www . forensicbootcd . com

www . onlineforensictraining . com
 

Sha_d0h

New Member
Aug 31, 2008
111
0
#12
well if your using tools like tableau you have documentation on how it blocks writes and how it functions. if your using an generally accepted tool with court precident you wont have to defend the tool just the procedure which you clearly missed before

http ://www.mykeytech.com/SoftwareWriteBlocking2-4.pdf
as posted by complete and is more contradictory to your statement about software writeblocking being equal. there is NO circumstance where i have not been able to use a hardware writeblocker. period..in 5 years of my experience and many others..

Wiebetech, firefly, and even tableau are accepted tested and proven tools not needing defense. and yes i have tested EVERY PIECE OF HARDWARE WRITE BLOCKING DEVICES IN MY LAB. AND ALL HARDWARE IS TESTED BEFORE IT IS SHIPPED BY THE MANUFACTURER. ALL SOFTWARE NEEDS TO BE DEFENDED AND ACCEPTED BY THE COMMUNITY.

you should do some homework on the available hardware writeblockers bofero you spout off about not trusting them...it seems you are the one who doesent know how they work..

I would rather defend my procedure than someone elses software any day.

AND most importantly when was the last time you were in a supreme court hearing?
mine was in jan this year..and using the proper tools and accepted procedure you will not have to defend the tools jsut your procedure. maybe you should buy the hardware and use it a few times before you say that there are instances where there it is not bpossible to hardware writeblock... since hardware write blocking came first ...remember the floppy?
 

farmerdude

New Member
Jan 11, 2006
789
0
#13
Sha_d0h,

Clearly you've missed the point of my _lengthy_ post. That's ashame, because there was value there. :)

Did _I_ say software write-blocking being equal? Where did I say that?

I think I have done my homework. But thank you for your recommendation. Much appreciated :)

When was the last time I was in a Supreme Court hearing? You mean, sitting in one? Watching one on TV? Or testifying in one? There is a difference. :)

The above said, I have never testified in a Supreme Court hearing.

Does that mean anything? Is someone's key strokes larger than another's because they've testified in a Supreme Court hearing?

Hmm ... me thinks not. Many, many talented people never testify. I wouldn't allow my chest to expand and sit upright based upon that. If that's all one has to go on.

Your excitement and recent posts are welcome - this forum comes and goes in interest. I just think you're off base in making bold statements about what is and is not required, what is and is not acceptable, without qualifying them. Remember, there are many new folks who only lurk. And many of these will believe what they read. People have a responsibility when they post. Thousands upon thousands of cases have passed where no write blocker was ever used, and this will continue today and in the future.

Cheers!

farmerdude


www . forensicbootcd . com

www . onlineforensictraining . com
 

bshavers

New Member
TRUSTED Contributor
Dec 2, 2008
29
Ratings
20
3
Seattle, WA
www.dfir.training
Facebook
https://www.facebook.com/dfirtools/
Twitter
https://twitter.com/DFIRTraining
#14
There are situations where hardware write blocking devices cannot be used. Live acquisitions would be one example. You cannot hardware write block a live acquisition. You can software write block a live acquisition (with F-Response or a forensic enterprise application), but there will still be changes made to the drive.

To say that you must use a hardware write blocker will put you in a bind when you cannot. If you shutdown a computer to attach a hardware write blocker for 'best evidence', if the disk is encrypted without having the key available, you more than likely will never obtain an image (or at least, an image with something on it). If the evidence resides in RAM, and you pull the plug to hardware write block the drive, you will have just eliminated the evidence you needed.

Regarding the WinPE, I agree it is not the best idea to use that tool for forensics. A better tool (similar to WinPE/BartPE) is the Windows FE.
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu