Using CAINE and AIR to image a suspect workstation

View previous topic View next topic Go down

Using CAINE and AIR to image a suspect workstation

Post  joetekno on Thu Feb 26, 2009 11:36 pm

NOTE: These instructions are for using a CAINE Live CD to image a computer with a single SATA hard disk (suspect workstation) to a computer with CAINE installed to the hard drive (forensic workstation). You need to have enough free space on the computer with CAINE installed to save an image file the size of the suspect hard drive. I always highly recommend using a physical hard drive write blocker to image suspect computers. However, if you don't own a forensic write blocker you can use these instructions.

SECTION I
1. Boot the forensic workstation and log in.
2. Open a command prompt window
3. Type "ifconfig" and document your ip address
4. Type "sudo su" and then the password
5. Type "cd /"
6. Type "mkdir evidence"
7. Type "cd evidence"
8. Type "cyrptcat -k <a password> -l -p 8888 > sda-img.dd

SECTION II
1. Boot off the CD on the suspect workstation
2. Select "Start"... Caine... Caine Interface
3. Click the "Create Report" button
4. Click the "Collection" tab
5. Click the "AIR" button
6. Click the "OK" button if prompted
7. Click the "SDA" (hard drive icon) button
8. Click the "Set as Source" button
9. Click the "Cryptcat" button
10. Type the password you typed in SECTION I Number 8
11. Click the "Net" button
12. Click the "Destination" button
13. Type the ip address found using the ifconfig command in SECTION I Number 3
14. Type the port 8888
15. Click the "OK" button
16. Click the "Start" button
17. Click the "Yes" button
18. Click the "MD5" button
19. Click the "Show Status Window" button
20. When it completes document the md5 Hash value

SECTION III
1. Once completed run the following command in the command prompt on the forensic workstation: "md5sum -b sda-img.dd"
2. Verify the hash matches SECTION II Number 20
avatar
joetekno

Number of posts : 50
Località : Wisconsin, United States
Registration date : 2009-02-19

View user profile http://network.nwtc.edu

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum