Home
Latest images
Search
Register
Log inUsing CAINE and AIR to image a suspect workstation
Page 1 of 1
Using CAINE and AIR to image a suspect workstation
joetekno Thu Feb 26, 2009 11:36 pm
NOTE: These instructions are for using a CAINE Live CD to image a computer with a single SATA hard disk (suspect workstation) to a computer with CAINE installed to the hard drive (forensic workstation). You need to have enough free space on the computer with CAINE installed to save an image file the size of the suspect hard drive. I always highly recommend using a physical hard drive write blocker to image suspect computers. However, if you don't own a forensic write blocker you can use these instructions.
SECTION I
1. Boot the forensic workstation and log in.
2. Open a command prompt window
3. Type "ifconfig" and document your ip address
4. Type "sudo su" and then the password
5. Type "cd /"
6. Type "mkdir evidence"
7. Type "cd evidence"
8. Type "cyrptcat -k <a password> -l -p 8888 > sda-img.dd
SECTION II
1. Boot off the CD on the suspect workstation
2. Select "Start"... Caine... Caine Interface
3. Click the "Create Report" button
4. Click the "Collection" tab
5. Click the "AIR" button
6. Click the "OK" button if prompted
7. Click the "SDA" (hard drive icon) button
8. Click the "Set as Source" button
9. Click the "Cryptcat" button
10. Type the password you typed in SECTION I Number 8
11. Click the "Net" button
12. Click the "Destination" button
13. Type the ip address found using the ifconfig command in SECTION I Number 3
14. Type the port 8888
15. Click the "OK" button
16. Click the "Start" button
17. Click the "Yes" button
18. Click the "MD5" button
19. Click the "Show Status Window" button
20. When it completes document the md5 Hash value
SECTION III
1. Once completed run the following command in the command prompt on the forensic workstation: "md5sum -b sda-img.dd"
2. Verify the hash matches SECTION II Number 20
SECTION I
1. Boot the forensic workstation and log in.
2. Open a command prompt window
3. Type "ifconfig" and document your ip address
4. Type "sudo su" and then the password
5. Type "cd /"
6. Type "mkdir evidence"
7. Type "cd evidence"
8. Type "cyrptcat -k <a password> -l -p 8888 > sda-img.dd
SECTION II
1. Boot off the CD on the suspect workstation
2. Select "Start"... Caine... Caine Interface
3. Click the "Create Report" button
4. Click the "Collection" tab
5. Click the "AIR" button
6. Click the "OK" button if prompted
7. Click the "SDA" (hard drive icon) button
8. Click the "Set as Source" button
9. Click the "Cryptcat" button
10. Type the password you typed in SECTION I Number 8
11. Click the "Net" button
12. Click the "Destination" button
13. Type the ip address found using the ifconfig command in SECTION I Number 3
14. Type the port 8888
15. Click the "OK" button
16. Click the "Start" button
17. Click the "Yes" button
18. Click the "MD5" button
19. Click the "Show Status Window" button
20. When it completes document the md5 Hash value
SECTION III
1. Once completed run the following command in the command prompt on the forensic workstation: "md5sum -b sda-img.dd"
2. Verify the hash matches SECTION II Number 20
joetekno- Number of posts : 50
Località : Wisconsin, United States
Registration date : 2009-02-19 -
Similar topics» CAINE 1.5 Installed to capture image file from CAINE 1.5 Live CD
» WinTaylor for CAINE V.5 - Image RAM accross Network
» Using CAINE and MMLS to mount an image of an NTFS drive
» creating an image from a virtual machine with Caine?
» Using CAINE and Scalpel to restore .doc's from an image file
» WinTaylor for CAINE V.5 - Image RAM accross Network
» Using CAINE and MMLS to mount an image of an NTFS drive
» creating an image from a virtual machine with Caine?
» Using CAINE and Scalpel to restore .doc's from an image file
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum