Call for Volunteers – Forensic 4cast Awards

Dear all,

It is quickly approaching the awards season. Yes the Oscars, the Grammies, the Golden Globes, and others will be held in the coming months but, most importantly, we will soon be accepting nominations for the Forensic 4cast Awards.

Once again SANS has been kind enough to host the event at the Forensic Summit (held at the Omni Hotel in Austin June 26-27 2012) and my new employer, Digital Discovery, is going to furnish the awards themselves.

For the last two years I have pretty much handled the event myself. This has made the awards ceremony… interesting at times. For this reason I’m asking for some volunteers to assist this year. If you’re going to be attending (and you should be) and you think you could help in any way please let me know via the “Contact Us” page.

I look forward to hearing from you.

Lee

How F-Response Saved Christmas

Those who know me will attest to the fact that I love F-Response but today it really came to the rescue.

I’m doing an imaging job in the Dallas area. The client wants me to image four servers, three of which are business critical and can’t be out of use between 6am and 7pm.

So, these servers are so old that they make Ken Pryor look like a teenager…

At first I tried using FTK Imager (portable version) but that ended up crashing one of the servers (yikes). Thankfully the crash was over night and it was back up in time for the start of the working day.

Next I tried DCFLDD. This worked for two of the servers (bearing in mind that I had to do this over USB 1.1). This was painstakingly slow but it worked. However, the other two servers were simply unable to cope with being imaged. They would continually lock up or lose connectivity to the USB drives.

I tried netcat. No dice.

I exhausted all of my practical possibilities.

Finally we all decided to take the servers offline tonight and tomorrow night. We were going to image a 2TB server with SATA drives (yes, they had both IDE and SATA in their servers, as well as SCSI). If a boot disc wasn’t going to work I was going to have to image SATA drives (simple enough) and SCSI drives (shoot me in the head) with a Tableau write-blocker. My SATA write-blocker has eSATA so that would go pretty quick, but my SCSI write-blocker is USB. So, a bunch of SCSI drives to image, one at a time mind you. Then would come the painstaking effort of reassembling the RAID in some software tool.

I could see what was going to happen. I was going to spend every evening from now until next week sitting in a cold server room imaging SCSI drives. I was going to cry.

Thankfully the lab is armed with a copy of F-Response – Consultant Edition.

After a little tinkering I was able to plug a laptop into the network and mount the drives from the problematic servers. Within a couple of hours the worst of the two servers was completely imaged and the largest of the servers was in progress.

Tonight I am sat at home in the company of my gorgeous wife wrapping presents for the kids instead of  sitting in front of a laptop watching a status bar crawl, very slowly, across the screen.

Thanks F-Response.