Raptor User Manual
Contents
1. 22 Raptor IE 24 Babptor Toolbox ial Ouest massi ues ptem ee es 25 Raptor TOODO 27 Raptor entre OO EDIT 28 Kora lols UDA E 29 Raptor TOODO d Role m 33 All Done Shutting Down Raptor OPI tS 34 SO sens 34 Introduction Welcome to Raptor 3 0 by Alvarez amp Marsal This manual will cover all the information that is necessary to utilize the basic features programmed into this application Document Conventions This manual conforms to a set of conventions that attach specific meanings to typefaces used in explanations and procedures The following table defines these conventions Item Acronyms Book titles Chapter and section titles Dialog box options Dialog box titles Emphasis or new words File names Folder and directory names Icon names Key names Menu names Parameters titles stand ins for text to be entered Program names URLs Windows named Windows unnamed What is Raptor Convention All uppercase may be spelled out on first use Title caps italic Title caps in quotation marks Bold Bold Italic or within quotation marks Title capitalization intern2. Once the Address information has been entered choose Apply to save the settings Editing Wired connection 1 Connection name ired connection 1 Connect automatically Wired 802 1x Security IPv4 Settings IPv6 Settings Method Automatic DHCP Addresses Address Netmask Gateway Add Delete Additional DNS servers Additional search domains DHCP client ID _ Require IPv4 addressing for this connection to complete Routes Available to all users Cancel Save 30 To create a wireless connection some additional settings may be required After selecting the Wireless tab there are two additional tabs which include wireless connection specific information The default tab is Wireless The Wireless tab contains the SSID field which is used to provide the SSID of the wireless network The Wireless Security tab is used to select the type of Security Depending on the type of security chosen some additional information may be required Normally a network administrator will be able to advise as to the type of security and the settings required to connect to the wireless network Editing Wireless connection 1 Connection name Connect automatically Wireless wireless Security IPv4 Settings IPv6 Settings SSID Mode Infrastructure v BSSID Device MAC address v Cloned MAC address MTU automatic bytes Available
3. View Go Bookmarks Help Computer EE B830 BESF FindResults Q search Home amp i Desktop L15255 B26B LiB830 BEsSF 4 File System Trash FindResults rfr FindResults rfc Network Browse Net Raptor Toolbox Unallocated The Unallocated tab is used to collect Unallocated space from a device To collect unallocated space Raptor requires the user to select a Source a Destination and a Name The source can be a logical or physical volume while the destination must be a mounted device The user inputted Name will be used both to create the folder name and to be appended to the created file name Raptor Toolbox Image Verify Mount Find Unallocated Format Wipe Update Tasks Physical device SanDisk Cruzer 100016010713114600A0 8GB dev sde 1 Destination Partition 1 of Physical device SanDisk Cruzer 20043515410314420D18 8GB dev s 2 C Name Unallocated Extract 29 Once the extraction process begins the following window will be displayed until finished Extract Unallocated media B830 BE5F Unallocated Unallocated unallocated dato Cancel Once the Unallocated Unallocated extraction finishes a datO File Edit View Go Bookmarks Help will be created for each Computer ZEN T MTM type of unallocated space m Home Desktop extracted The name of the file will be appended with L 5255 B26B amp 7 830 4 Unallocated Unallocated unallocated dato
4. option right When the process is completed you will get a verification status message Imaging Logs of the process will be saved to the image directory Cancel Once verification is complete you will be asked if you want to shut down doing so will safely unmount all target media Navigating Raptor and the Raptor Toolbox The icons located on the left side of the Raptor desktop represent the Raptor Toolbox For those with more Linux experience this is a much more powerful interface for using Raptor For those who are familiar with Raptor 2 x this toolbar format will look very familiar Double clicking the icon labeled RAPTOR will open bring up the Toolbox that contains the forensic processes of Raptor This is where the Imaging Verification Mounting Formatting Find Unallocated Wiping Update and Task Lists can be accessed This is the TERMINAL icon which will allow you command line access to Raptor s Linux base Unless you are very familiar with Linux you ll likely avoid this area Double clicking the VOLUME BROWSER icon will open the Volume Browser allowing you to browse programs and files Double clicking the A amp M Logo icon will open a window containing informational PDF files that detail the digital forensics and information security training offerings currently available from Alvarez amp Marsal the creator of Raptor This icon is the Ubuntu STARTUP DISK CREATOR used to create a USB laun
5. re writing the data to EON te canis T art by selecting the destination an 8GB USB flash storage File Name Suspect_Computer device commonly referred Enter a descriptive file name and to as a thumb drive Here Fill out of the fields as required Examiner or Investigator John Doe you select the partition of by your case The only required the thumb drive where you field is a file name Case Identifier 2013 09 30 0001 want to write your data a Animage file will be created and You will also fill out the File saved to the media selected Evidence Number 0001 Name to use for the output Description Suspect Disk 001 file s the Examiner Name Optionally select to verify the copy after the creation n dicti Description You also select to Verify the forensic image Back Cancel NOTE While it is not shown in the above screenshot the output for the forensic image will be in the EnCase E01 format If you need to use another format such as a dd raw disk image please see the following section on converting between image formats Raptor Toolbox Image Conversion with Verify or skip the imaging wizard and go straight to the Raptor Toolbox also covered later in this document This takes you to a Raptor Acquisition Wizard Summary page which details everything MY you ve entered into the Vaio roca as Source Suspect on Physical device JetFlash TS1GJFV20 previous screens as e perrormed is displaye NP
6. start the shutdown Ubuntu Help process System Settings Lock Log Out Suspend Restart Shut Down When Restart or Shut Down is selected Raptor will first ask you to confirm the shutdown or restart process then you will go through a normal shutdown restart process You will also be asked to eject the DVD ROM before turning the computer off or restarting Shut Down Are you sure you want to close all programs and shut down the computer Cancel Shut Down Support If you have questions or need support when using Raptor please email us at raptor alvarezandmarsal com 34
7. these image formats are forensically sound and can be used by most if not all forensic applications Imaging is started by selecting your source device This is sometimes referred to as the suspect device In this case you are trying to capture a 1 GB USB storage device Click the Select Source drop down box and you will be presented with a list of devices that are present on the system In most cases you want an image of the Entire Physical device If you only want the Logical Partition you are presented with that option as well Image Verify Mount Find Unallocated lt Select Source gt Destination Device E01 dmg dd Raw lt Select Destination gt Additional Destination Optional Device E01 dmg dd Raw lt Select Destination gt Name Update Tasks Segment file size MB _ Verify after creation Segment file size MB Verify after creation 13 The next step is to select the format of the image that you want to create Several options are presented including Device E01 dmg and dd Make the selection that you desire and set the segmentation file size This size dictates the size of the chunks or segments into which Raptor will create your image Selecting Device will cause the Segment File Size option to become unavailable however all other format options will allow the size to be changed The MAXIMUM segment file size is 2000 however you can select any size sma
8. unpartitioned datO the name provided above 3 File System In this screenshot you can Trash see that a dat file was Network created for both lisi Browse Net unallocated space and unpartitioned space Q Search 26 Raptor Toolbox Format Raptor allows you to format media in a variety of file systems Included in these formats is HFS Mac native NTFS and FAT32 Microsoft native and EXT3 Linux Unix native In order to use the Format functionality the Format tab is selected To format a physical device the device must NOT be mounted you know that a device is present and Raptor sees the device but it Physical device VMware VMware Virtual S 1GB dev sda is not presented to you in the drop down box Volume label ForensicTest go to the Mount tab and unmount the volume This should allow the physical device to appear and be available for formatting Raptor Toolbox Image Verify Mount Find Unallocated Format Wipe Update Tasks C Filesystem HFS NTFS C ext3 FAT32 Format In order for Raptor to format you must give the volume a Name If you leave this field blank the Format button will be grayed out Once you click Format a status window will appear If you have selected a physical device Raptor will partition the device before formatting WARNING Raptor will do whatever you tell it to This means that if you tell Raptor to format the suspect device
9. JetFlash TS1GJFV20 NPODPXY9 1GB dev sde Image command dcfldd bs 32k conv noerror sync sizeprobe if if dev sde of ewfacquirestream c fast d sha1 D Suspects System M physical S 2000MiB e John Doe C 2013 09 30 0001 l media Target Suspects System Suspects System log txt hashes t media Target Suspects System Suspects System 2 dev null gt dev null errlog tee a media Target Suspects System Suspects System log txt dev null hashlog tee a media Target Suspects System Suspects System log txt hashes gt dev null File Started imaging process at 20131030 12 44 40 Image Verify Mount Find 131200 0 records in as 31200 0 records out Destination A ALVAREZ amp Completed imaging process at 20131030 12 48 58 Device E01 dmg lt Select Destination gt Hash values calculated during initial creation Total md5 f712780adfe36bc2915819eff0926735 MD5 hash calculated over data f712780adfe36bc2915819eff0926735 1 hash calculated over data 7Tafcf9661da65d09f9bfdeab4361c506a36b0c6a Additional Destination Option Device E01 dmg Name Hash values for verification started at 20131030 12 48 58 lt Select Destination gt Name ek n verry orcerercactrurr When the verification process is completed it will append to the log file and display the status on the desktop Ubuntu Desktop lt gt 3 50PM il media Target Suspect
10. ODPXY9 1GB dev sde well as the commands To start click the start button that will be executed to accomplish the The progress will be displayed Destination Target on Partition 1 of Physical device SanDisk n Cruzer Fit 4 532000041127116253 8GB dev sdf1 imaging task Verify Once the imaging process is eig that everything looks completed the option to correct here and if shutdown will be displayed you find any errors Command Line s ewfacquire C 2013 09 30 0001 D click the Back button Suspect Disk 001 e John Doe E 0001 M physical c fast d sha1 S 2000MiB b 32768 and fix any input that media Target Suspect Computer may need correcting Once you are ready to vil imaging Back Start You are now presented with an Raptor Acquisition Wizard imaging progress Imaging screen which gives The process of imaging the Imaging 25 completion in 1 minute s and 6 second s with 46 MiB s you Statistics about media has begun ii urrent The progress is displayed to the imaging task right including percentage Logs of the process will be saved complete estimated to the image directory time to completion and throughput Cancel Once completed Raptor Acquisition Wizard the verification process will kick off because you The process of imaging the Verifing SUCCESS the Verify After The progress is displayed to the Imaging
11. RAPTOR 3 0 RELEASE DOCUMENTATION Sm LATIN AMERICA Contents Codu ON 3 DOCUMENTE Bre ai i e AE EE ee eee 3 WCE FRAO Or 3 WIV Se RID O crac 4 WARNING 4 COGS Eo mmm 4 Imaging Macintosh Computers in Target Disk 5 POOLNE ROD OT PM H 6 The Raptor Acauisitioki VV Zell Gleis pun ERI FUR DU MEI ants diat d wer M SPER denm UP 7 Navigating Raptor and the Raptor TOOlbOX ccccssccsseccsecceseceseccenecenceesecceneeeneeeeseeensesseeseeeeenseneeeseesegseeees 10 Creating a Raptor USB Boot SR ER SER RSEN AR URUHER E GRAN UN OQNRE ETUR PEE HUMERIS MUEVE PURGE 11 Raptor TOODO ced nc RR EORR 13 PAD EON TAC mc U PER 17 Raptor Toolbox Image to Two Separate Destinations in Two Different 18 Raptor Toolbox Image Conversion with 19 Rator VOC OV LIRE 21 Raptor Toolbox Mounting
12. al capitalization can be used for readability Bold in procedures regular font elsewhere Bold title capitalization All uppercase Bold title capitalization Italic Title capitalization Lowercase Title caps Lowercase Example Target Disk Mode TDM Multipurpose Internet Mail Extensions MIME Raptor 3 0 Release Documentation See the section Raptor Toolbox Image Conversion with Verify Click Continue the Find dialog box This cannot be said enough the suspect device Filename doc FileName doc the TMP folder Destination Drive E Right click on the Networking icon Hold down the T key Press ENTER to boot the Select Source dropdown menu enter a Name Filename Raptor Microsoft Word http www alvarezandmarsal com the Tasks window a status window Raptor is a Ubuntu Linux based Live DVD used for performing various forensic processes on computers developed by Dave Loveall for Alvarez amp Marsal The function of this live DVD is to perform various forensic processes on Intel 32 and 64 bit processor based computers including Windows Macintosh and Linux systems The processes that Raptor performs include forensic imaging and verification forensic image conversion forensic sterilization of media wiping and additional features Raptor can be used on any Intel based computer including computers from Dell HP Sony and Intel processor based Macintosh computers Why Use Rapt
13. ch device See below 10 Creating a Raptor USB Boot Device New to Raptor 3 0 is a menu driven way to create a Raptor boot device using removable USB media such as a thumb drive In Raptor 2 x this was an extensive process that involved accessing the command line and internals of Raptor to create but now it s a simple point and click process First inside of a booted Raptor 3 0 system click the Startup Disk Creator icon in the toolbar and it will launch the Make Startup Disk wizard On a booted Raptor system the ISO image used to create the startup disk will default to the booted Raptor ISO so you won t have to do anything there Make Startup Disk Now simply insert a USB device into the To try or install Ubuntu from a removable disk it needs to be set up as a startup disk booted Raptor system and it will be displayed Source disc image iso or CD in the Disk to Use CD Drive Image OS Version Size section at the bottom Q dev sro Raptor 20130908 799 8 MB of the menu Select the device and click the Erase Disk button Other to prepare the disk for use Disk to use Device Label Capacity Free Space 1 JetFlash TS1GJFV20 d RAPTOR 972 1 MB 972 1 MB Erase Disk Close Make Startup Disk Caution This action will erase all data on the disk so make sure you are using the correct media Until you erase the media the Make Startup Disk button will be inactive Once the media is erased the but
14. claimer in the documentation and or other materials provided with the distribution d al age na S cnm dii ee Above are the specifics and copyright statements that you must agree to prior to using Raptor Once this notice screen appears on the Raptor desktop the entire operating system is available and ready for use The Raptor Acquisition Wizard After clicking OK on the license agreement you are presented with the Raptor Acquisition Wizard a new feature for Raptor 3 0 This wizard will walk you through performing a forensic collection and its use is recommended for use by those with less Linux experience Click the Select Raptor Acquisition Wizard Source dropdown Source Hed to select the Step 1 Suspect on Physical device JetFlash TS1GJFV20 NPODP A media you wish to Select th acquire In the like to aquire example here you The source is the piece of media will be collecting a which you would like to image 4GB sample disk E Imaging is the process of making listed under device a bit for bit copy of the media dev sdc You will want to collect the entire physical disk and not just a volume or partition on the disk Back Next gt Cancel Next insert your USB Raptor Acquisition Wizard target disk for storing the forensic image into the Destination system and click Next Target on Partition 1 of Physical device SanDisk Cruzer Fit4C53 gt You
15. device is attached You are about to overwrite all information on Physical ey device VMware VMware Virtual S 1GB dev sda Are you sure you want to destroy this data During the wiping process the standard status window will appear giving you an approximate time remaining for the wiping process 732 of 2048Mb 48384 blocks 1512Mb written 00 00 01 remaining 28 Raptor Toolbox Update The Update tab new to Raptor 3 is used to download Raptor updates from the Alvarez amp Marsal website Raptor Toolbox Image Verify Mount Find Unallocated Format Wipe Update Tasks Select Source ud Cache Updates Optional In order to use the Update functionality using a network connection the connection needs to be created Network connections can be created by right clicking the Network icon in the upper left hand corner and choosing Edit Connections Network Connections Wired Wireless Mobile Broadband VPN DSL Name LastUsed Add Edit The first tab Wired is used to create a Delete connection when a network cable is attached to the computer Close 29 Normally the only tab which will be required to be used for a wired connection is IPv4 Settings By default DHCP is selected however if a Static IP is required select Manual from the Method drop down menu Selecting the Add button will allow the P Address Netmask and Default Gateway to be entered
16. e Linux Loop filesystem squashfs 805MB dev loop0 Once devices have been Partition 1 of Physical device SanDisk Cruzer 100016010713114600A0 8GB dev sde1 selected Raptor allows Partition 1 of Physical device SanDisk Cruzer 20043515410314420D18 8GB dev sdf1 you to input search Criteria The options are 7 Name Content and Criteria Matches ANY and each field allows for lt New Criteria gt a multiple entries In the example to the right Find Name ae EIX Content will return any results Name txt Content MIME where the file name is OR OR image jpeg name txt or the content Text Plain contains the word Content or the MIME type is Image jpeg or Text plain Destination Partition 1 of Physical device SanDisk Cruzer 20043515410314420D18 8GB gt CP Finally the Destination drop down shows an mounted devices where the data can be written to and the name of the folder where the results will be created Find The Find status window appears while the search is ongoing Partition 1 of Physical device SanDisk Cruzer 100016010713114600A0 8GB dev sde1 Cancel 24 Once the search finishes two files are created in the user specified folder The first file is a rfc file which contains the XML file containing the search query The second file is a rfr file which contains a SQLite3 database file containing the search results FindResults File Edit
17. e selected and a Destination second file format and a 2 Device 01 dmg dd Raw Segment file size MB 2000 file Name must be m i r entered Target on Partition 1 of Physical device SanDisk Cruzer Fit 4C53200004112711625 lt the imaging Name Suspect Computer E01 Verify after creation specifics as before select the destinations careful ly Additional Destination Optional and activate the Verify 2 Device E01 dmg dd Raw Segment file size MB 2000 2 After Creation checkbox Partition 1 of Physical device SanDisk Cruzer 20053550130314420D1C 8GB dev s gt In this case you are imaging the same 1GB Name Suspect Compuiter DMG y Verify after creation drive to two different destinations in two Start different file formats When Start is selected the following screen will be visible The Imaging and Imaging title on the window is indicative of two different images being created at the same time Imaging and Imaging 14 of 1024 4608 blocks 144Mb written 00 02 51 remaining i NOTE You also can send two images to the same destination if you prefer Should you decide to do this you will need to select different file types otherwise only one image file set will be created Additionally creating two image file sets on one device will not give you any disaster recovery security 18 Raptor Toolbox Image Conversion with Verify Raptor has an added capability t
18. es Digest hash information MDS cd573cfaace07e7949bc0c46028904ff SHA1 2a492f15396a6768bcbca016993f4b4c8b0b5307 20 Raptor Toolbox Raptor Toolbox Verify The Verify tab in the Image Verify Mount Find Unallocated Format Wipe Update Tasks Raptor Toolbox is useful for a variety of tasks For _ lt Select gt instance despite all our warnings sometimes it is possible to forget to select Verify After Creation In this situation rather than cancelling the imaging process you can wait until the process is completed and perform verification on the image file The default window for the Verify tab is shown Verify Should the need arise to Raptor Toolbox verify a forensic image select the Verify tab and then click on the drop forensic image E01 shown here Verify Image Verify Mount Find Unallocated Format Wipe Update Tasks Then click Verify 21 Once the process begins a status window will appear At the conclusion of the process a new text file will overwrite the original imaging log file that was placed in the destination folder Status at 402 verified 417 MiB 437452800 bytes of total 1 0 GiB 1073741824 bytes completion in 13 second s with 46 MiB s 48806446 butes second The Verify tab can be used to hash a device or logical partition For example if one wants to hash a device before creating an image or for whatever reason the only thing that is needed is a ha
19. hat can be very helpful in many situations Raptor will allow you to convert a forensic image from one format to another Raptor will also allow you to change the file segmentation settings within a particular forensic image type In order to perform this function the selected Source must be the forensic image that you want to convert In this case the forensic image that was Raptor Toolbox just created was an E01 EnCase file format with 2000MB file Image verify Mount Find Unallocated Format Wipe Update Tasks segments media 5255 B26B Suspect Drive EO1 Suspect Drive 01 01 A After selecting the forensic image you Destination wish to convert you Device E01 dmg dd Raw Segment file size MB 2000 must select the new file format the new file Partition 1 of Physical device SanDisk Cruzer 100016010713114600A0 8GB dev si 2 Segment Size the new Destination and the Name Suspect Drive E01 DMG Verify after creation new file Name Verify After Creation should Additional Destination Optional ALWAYS be selected Device E01 dmg dd Raw Segment file size MB You have the option of merely changing the file lt Select Destination gt lt segment size accomplish this by keeping the file type the same as the original Start however either the destination or the filename would have to be changed to avoid overwriting the original Name _ Verify after creati
20. it will format the device You are not given any warning prior to the formatting process 2f Raptor Toolbox Wipe Forensic best practices dictates that the device that receives a forensic image should be forensically sterile This means that the device should have a known written to every byte in every sector of the hard drive Raptor does this using the hex value 0x00 The Wipe tab is similar in Raptor Toolbox appearance to the Format tab Select the Physical Image Verify Mount Find Unallocated Format Wipe Update Tasks device you want to wipe lt Select gt mA i and click Wipe _ Verify after wipe As with the Format function the Wipe function cannot be completed on a device that is mounted If the device you want to wipe does not appear in the Wipe drop down box go to the Mount tab select the volume and unmount it The device should then be visible in the Wipe tab NOTE This cannot be said enough Raptor will do whatever you tell it to This means that if you tell Raptor to wipe the suspect device it will wipe the device However unlike the Format command in the Wipe function you will get a message confirming that you want to overwrite the disk before proceeding Please note that once a device is wiped there is no getting the data back It is highly recommended that you VERIFY which device you are wiping Your own personal best practice may be to never use the Wipe or Format menus when a suspect
21. l cause Raptor to Suspectea Physical device JetFlash TS1GJFV20 NPODPXY9 1GB dev sde create MD5 and Destination SHA1 hash of the 7 Device E01 dmg Segment file size MB 2000 m original as well as the image file and store this in a log file that Name Raptor creates during imaging When the creations and verification hash lt Select Destination gt 16 values match the image and original are identical Target on Partition 1 of Physical device SanDisk Crozer Fit 4 53200004112711625 2 C Verify after creation Additional Destination Optional Device E01 dmg dd Raw Segment file size MB Name Verify after creation You are now ready to image so click Start and the desktop will appear as below At the top of the desktop you will see a status window that shows the current status of the imaging process 92 of 975Mb 2816 blocks 88Mb written 00 02 51 remaining p 15 Once imaging is completed the log file of the collection will be displayed If Verify After Creation was checked the top right window will then show the status of the verification process Screens Screenshot S ED 12 49 PM i media Target Suspects System Suspects System log txt Status at 2 verified 20 MiB 21266432 bytes of total 975 MiB 1022361600 bytes in 2 minute s and 27 second s with 6 5 MiB s 6815744 bytes fsecond Source information Source Suspect on Physical device
22. lculated over data 7Tafcf9661da65d09f9bfdeab4361c506a36b0c6a Completed verification process at 20131030 12 52 40 16 Raptor Image Logs Examination of the Destination that was selected for the forensic image shows at least two items One is the image file segment and the other is an imaging log file In this case the image file was large enough that an additional image file segment was created Had the image been smaller there would have been only one image file segment The image log file which is created automatically contains very important information It includes media Target Suspects System Suspects System log txt Source information The command used to create the Source Suspect on Physical device JetFlash TS1GJFV20 NPODPKY9 1GB dev sde imaae Image command dcfldd bs 32k conv noerror sync sizeprobe if if dev sde of ewfacquirestream c g fast d sha1 D Suspects System M physical S 2000MiB e John Doe C 2013 09 30 0001 l media Target Suspects_System Suspects_System log txt hashes t media Target Suspects_System Suspects_System 2 gt dev null gt dev null errlog tee a media Target Suspects_System Suspects_System log txt gt dev null hashlog tee a media Target Suspects_System Suspects_System log txt hashes gt dev null The date and time of the imaging Started imaging process at 20131030 12 44 40 process and the number of records blocks read and wri
23. ll boot with Raptor and follow the imaging instructions provided below NOTE Target Disk Mode only applies to Macintosh computers that have a Firewire or Thunderbolt port older non Pro MacBooks do not have either Also note that TDM only sees the first physical disk in a Mac computer and any additional disks will not be accessible in TDM Since modern MacBook Pros can now have multiple hard drives installed TDM will miss any additional disks installed In order to make Raptor work its magic you need to make certain that the computer boots to Raptor instead of the native operating system As noted above you can ensure that this happens by verifying boot order in the BIOS of Windows based machines or by holding down the OPTION key on a Mac Once the boot process starts you will see several options as shown below If this is the first time that you ve attempted to boot the system with Raptor select the first option Boot Raptor Depending on the hardware that you are trying to boot sometimes it is necessary to start Raptor in a graphics mode that is a little less graphics intensive Thus if you notice problems with the graphics under the standard boot process you can select Boot Raptor Video Compatible One of the two of these menu items will boot almost every computer Under most circumstances these are the only two menu items you will ever use A ALVAREZ amp MARSAL Installer boot menu Boot Raptor Video Compatible Check disc fo
24. ller than 2000 For example if you envision exporting these image chunks to DVD ROM you may consider selecting a size of 640MB or 700MB Once you have selected your file format and appropriate size select the location where your image files will be stored Clicking on the Select Destination drop down box presents you with your storage options Please select carefully as the Source option also is presented In this case you are going to store the information on a USB Drive Image Verify Mount Find Unallocated Format Wipe Update Tasks Raptor Toolbox Tasks Image Verify Mount Find Unallocated Format Wipe Update Suspect on Physical device JetFlash TS1GJFV20 NPODPXY9 1GB dev sde gt Destination Device E01 dmg dd Raw Segment file size MB 2000 Target on Partition 1 of Physical device SanDisk Cruzer Fit 4C53200004112711625 1 Verify after creation Additional Destination Optional Device EO1 dmg dd Raw Segment file size MB Ia Select Destination Name _ Verify after creation NOTE In order for a destination to be shown in this list the device must be formatted with a file system that is recognized by Raptor This includes EXT3 HFS NTFS and FAT32 14 Once your selections Raptor Toolbox have been made select Verify After Image Verify Mount Find Unallocated Format Wipe Update Tasks Creation This setting Wil
25. mounting locally mounted devices Suspect devices should NEVER be mounted using the Allow Changes checkbox Select the device Raptor Toolbox and partition that you wish to mount Image Verify Mount Find Unallocated Format Wipe Update Tasks Partition 1 of Physical device SanDisk Cruzer 100016010713114600A0 8GB 5 lt Provide the Network Volume Network Volume Computer information User Name Password Domain Share _ Allow changes Mount If you wish to allow changes select the Allow Changes checkbox and click Mount Raptor Toolbox When the partition is mounted you Image Verify Mount Find Unallocated Format Wipe Update Tasks should see a hard drive icon appear Partition 1 of Physical device SanDisk Cruzer 100016010713114600A0 8GB dev sd C on the desktop and the Raptor Network Volume Computer File Browser should appear Password In order to unmount m are volume select the appropriate Allow changes volume and click m S Unmount The Mount hard drive icon should disappear from the desktop 23 Raptor Toolbox Find The Find tab can be used to search for filenames file content or Multipurpose Internet Mail Extensions MIME types Devices available to be searched appear in the top window Multiple devices can be selected at once Raptor Toolbox Image Verify Mount Find Unallocated Format Wipe Update Tasks Physical devic
26. old down the OPTION key at the same time that you press the Power Button and subsequently you are given an option to select the boot device If you select the appropriate device then Raptor will boot leaving the suspect hard drive alone To ensure that Raptor doesn t make changes to any attached hard drive or media the entire Linux operating system contained on the Raptor disk is loaded into RAM Once the operating system is loaded a desktop will appear which displays the Raptor Toolbox It is from this menu that all the features of Raptor are accessed Imaging Macintosh Computers in Target Disk Mode Target Disk Mode TDM is a feature of Macintosh computers that allows a Macintosh computer to behave like an external hard drive A Macintosh in TDM can be connected to another computer through the Firewire or Thunderbolt port While this is a useful feature in the digital forensics environment Macs can have a number of different partitions that are formatted with various file systems which can create a problem For instance on a Mac running Bootcamp there will be at least two OS partitions HFS for OS X and NTFS for the Windows installation Depending on the combination of file systems and the operating system on the forensic computer the partitions may auto mount which would change data on the suspect hard drive As another example if you have a Windows based forensic computer and you put a Mac in TDM and connect it to the forensic com
27. on As with the original creation of the forensic image a status window is shown during the process In this case the title Converting is used to indicate the process that is taking place Converting 42 of 1024Mb 1536 blocks 48Mb written 00 02 22 remaining 19 A log file of the process is generated and saved in the destination directory This log file will contain information about the original acquisition including the date and time of the acquisition the format type the original size of the media compression if any and then the normal information stored in the acquisition log file If Verify After Creation was selected the acquisition and verification hashes will be stored in the log file media 5255 B26B Suspect Drive E01 DMG Suspect Drive E01 _DMG log txt Source information ewfinfo 20130105 Acquiry information Case number case number Description Suspect Drive E01 Examiner name examiner name Evidence number evidence number Notes notes Acquisition date 2013 10 16T19 16 45 System date 2013 10 16T19 16 45 Operating system used Linux Software version used 20130105 Password N A EWF information File format EnCase 6 Sectors per chunk 64 Error granularity 64 Compression level good fast compression GUID F68ea1b6 F212 F843 bc6d 83773a3707ae Media information Media type Fixed disk Is physical yes Bytes per sector 512 Number of sectors 2097152 Media size 1 0 GiB 1073741824 byt
28. or Raptor is incredibly easy to use and works on nearly every computer It allows imaging to be performed without the need to disassemble the computer to access internal hard drives This is an especially important feature when attempting to access a Macintosh since they are known to be especially difficult to take apart Additionally since Raptor is based on Ubuntu Linux it is a perfect platform to acquire forensically sound images of computer hard drives and it maintains all the built in write protection that is a hallmark of the Linux operating system When this version of the Linux operating system boots any media device that is found on the system is automatically locked This means that it is impossible to make writes to the media without the user explicitly allowing it Linux also allows media to be mounted in a read only fashion eliminating the need for write blocking hardware Raptor is a free program that is easily downloadable from the following page https www forensicsandediscovery com Training InformationProtection Raptor aspx WARNING Raptor is a very powerful forensic tool that will do exactly what you tell it to do It is therefore important to understand the implication of each of its functions You should understand what this tool does and how it works so that you can testify to it should the need arise As with all tools it is also important to test and validate this software By doing so you can see the functions for
29. puter and there is a FAT or NTFS partition on the Mac it would be auto mounted by the host Windows machine in Read Write mode and would be modified Conversely auto mounting is the default behavior for known file systems on a Mac and connecting a Mac in TDM mode to another Mac would cause the suspect HFS hard drive to be mounted resulting in changes to the source data Both of these situations are undesirable because one of the key principles of computer forensics is if at all possible Make No Changes Using Raptor to make your forensic image solves these problems Since Raptor does not mount drives in Read Write mode changes will not be made to any attached devices For example if your forensic computer is a Windows based computer which is connected to a TDM enabled Mac and you boot it with Raptor Raptor would see the device as an external hard drive enabling imaging of the device in Read Only mode Similarly if your forensic computer is a Mac which is attached to a TDM enabled Mac and you boot it with Raptor the same Read Only status would be enabled To place a Mac into Target Disk Mode boot the computer while holding down the T key Continue holding the T key until the screen displays a Firewire or Thunderbolt symbol shown at right The computer is now in TDM and can be written to if you connect to a computer that is not booted with Raptor Connect this device to the Firewire or Thunderbolt port of a computer that wi
30. r defects Test memory Boot from first hard disk Advanced options Help Press ENTER to boot or TAB to edit a menu entry Once your choice has been made Raptor will go through the process of detecting the hardware inside the computer Sometimes this can take some time especially on slow computers Be patient When Raptor has loaded you will see the Raptor desktop While it is possible to start using Raptor at this point it is not fully loaded until you see the Alvarez amp Marsal Copyright screen This normally appears within a minute or so following the launch of the Raptor desktop NOTE Some laptop LCD screens do not display properly with certain programs including Raptor In these situations Raptor s desktop image is skewed or otherwise unreadable If you find that you have this problem connecting an external monitor will often result in Raptor being fully visible You may also reboot and try Boot Raptor Video Compatible mode Copyright c 2008 2013 Alvarez amp Marsal Global Forensic and Dispute Services LLC All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer Redistributions in binary Form must reproduce the above copyright notice this list of conditions and the following dis
31. s System Suspects System log txt Source information Source Suspect on Physical device JetFlash TS1GJFV20 NPODPKY9 1GB dev sde Image command dcfldd bs 32k conv noerror sync sizeprobe if if dev sde of ewfacquirestream c fast d sha1 D Suspects System M physical S 2000MiB e John Doe C 2013 09 30 0001 media Target Suspects System Suspects System log txt hashes t media Target Suspects System Suspects System 2 dev null gt dev null errlog tee a media Target Suspects System Suspects System log txt gt dev null hashlog z tee a media Target Suspects System Suspects System log txt hashes gt dev null y gt V 4 0 gt Y Update Tasks Started imaging process at 20131030 12 44 40 31200 0 records in 31200 0 records out it File size MB 2000 Pos Completed imaging process at 20131030 12 48 58 a Verify after creation Za Hash values calculated during initial creation g y Total md5 f712780adfe36bc2915819eff0926735 MDS hash calculated over data f712780adfe36bc2915819eff0926735 SHA1 hash calculated over data 7afcf9661da65do9f9bfdeab4361c506a36b0c6a at file size MB Hash values for verification started at 20131030 12 48 58 MDS hash stored in file f712780adfe36bc2915819eff0926735 MDS hash calculated over data f712780adfe36bc2915819eff0926735 Verify after creation SHA hash stored in file Tafcf9661da65d09f9bfdeab4361c506a36b0c6a 5 1 hash ca
32. sh value of the device this can be done by selecting a physical or logical device in the drop down box When the verification is complete a new text file is created The location where this text file is stored is within the File System under the TMP folder It is suggested that this file be re saved to an external piece of media such as a thumb drive Raptor Toolbox Mounting Devices In order to interact with a physical device or its logical contents the device must be mounted Raptor accommodates this process under the appropriately named Mount tab The Mount tab allows one to select Raptor Toolbox any of the physical devices that Raptor detects and offers Image Verify Mount Find Unallocated Format Wipe Update Tasks the option of mounting Read Only 2 or Read Write By Network Volume selecting the Allow Computer Changes checkbox Raptor will mount Password the device as Read Write en Share Since you never want to make changes to a suspect device such devices should NEVER be mounted using the Allow Changes checkbox Raptor has the ability to mount a Network Volume To mount a Network Volume Raptor requires the Computer name a username password if the Network Volume is not shared to Everyone and the Share name You may also be required to provide a Domain name depending on where the Network Volume resides 22 The same rules apply for mounting a Network Volume that applied to
33. to all users Cancel Save Editing Wireless connection 1 Connection name Wireless connection 1 Connect automatically Wireless Wireless Security IPv4Settings IPv6 Settings Security None WEP 40 128 bit Key Hex or ASCII WEP 128 bit Passphrase LEAP Dynamic WEP 802 1x WPA amp WPA2 Personal WPA amp WPA2 Enterprise Available Eo all users Cancel Save 31 Once the wired or wireless settings have been entered right click on the Networking icon in the upper right hand corner and choose Enable Networking If all of the settings are correctly set the icon in the upper right hand corner will change and the desktop will display a connection established message Ty D 6 50 AM i Wired connection 1 Disconnect VPN Connections v Enable Networking Connection Information Edit Connections After the connection is created changing the source to Network and choosing Update will allow Raptor to install updates from the Alvarez amp Marsal website if updates are available Raptor Toolbox Image Verify Mount Find Unallocated Format Wipe Update Tasks lt Network gt 4 lt Cache Updates Optional lt Select Destination gt a Update 32 Raptor Toolbox Task Log The last and final tab on the Raptor Toolbox is the Tasks tab This tab contains a listing of all the functions performed via the Raptor Toolbox Included in the task list is the Action the current State either R
34. ton will become active and you can create the Startup Disk 13 Copying files 10 complete 0m36s remaining Cancel As the boot disk is created you ll get a status update window as shown above installation Complete Installation is complete You may now run Ubuntu on other computers by booting them with this drive inserted Qui When the process is completed you ll get the above completion message and your USB device will be ready to boot Raptor 12 Raptor Toolbox Imaging The Imaging tab of the Raptor Toolbox is where the Forensic Image is created To perform this function several drop down boxes must be selected and other items must be entered The Raptor Toolbox allows imaging to two different destinations in a multitude of different forensic formats Included in these formats is Device which is a drive to drive clone E01 which is a compressed Encase format dmg which is a forensic version of the Apple Inc disk image and dd Raw which is a raw encapsulated image often seen in a Linux Unix environment Image Verify Mount Find Unallocated lt Select Source gt Destination Device E01 dmg dd Raw lt Select Destination gt Name Additional Destination Optional Device E01 dmg dd Raw lt Select Destination gt Name Update Tasks Segment file size MB Verify after creation Segment file size MB Verify after creation All of
35. tten 3120040 records out Completed imaging process at 20131030 12 48 58 The hash value of the original Hash values calculated during initial creation media 3 Total mds f712780adfe36bc2915819eff0926735 MD5 hash calculated over data f712780adfe36bc2915819eff0926735 SHA1 hash calculated over data Tafcf9661da65dO09f9bfdeab4361c506a36b0c6a Hash values for verification started at 20131030 12 48 58 M MDS hash stored file f712780adfe36bc2915819eff0926735 The verification hash values if MD5 hash calculated over data f712780adfe36bc2915819eff0926735 selected SHA1 hash stored in file Tafcf9661da65d09f9bfdeab4361c506a36b0c6a SHA1 hash calculated over data Tafcf9661da65d09f9bfdeab4361c506a36b0c6a Completed verification process at 20131030 12 52 40 17 Raptor Toolbox Image to Two Separate Destinations in Two Different Formats It is often good forensic practice to make multiple copies of a forensic image for the purposes of disaster recovery With Raptor two copies can be sent to two different locations at the same time Additionally Raptor gives you the option to image in two different formats at the same time Raptor Toolbox In order to perform this function only one change is needed from the Image Verify Mount Find Unallocated Format Wipe Update Tasks process listed above First a second destination Suspect on Physical device JetFlash TS1GJFV20 NPODPXY9 1GB dev sde E c must b
36. unning Pending or Finished and the Command used to perform that function This tab can be useful if you need to verify whether a given function has been performed For example if you need to image several hard drives in one computer you could use the Tasks tab to verify which hard drives had already been imaged A sample of the Tasks window is shown below and it includes both wipe and format functions in addition to an image creation to two destinations and the associated image verifications Raptor Toolbox Image Verify Mount Find Unallocated Format Wipe Update Tasks Action State Unallocated Finished Unallocated Canceled Format Finished Wipe Finished Wipe Finished Wipe Finished Network Update Finished Network Update Finished Command Physical device SanDisk Cruzer 100016010713114600A0 8GB de blkls on Physical device SanDisk Cruzer 100016010713114600A0 Physical device VMware VMware Virtual S 4GB dev sdd as hfs dcfldd pattern 00 bs 32k of dev sda sizeprobe 1073741824 dcfldd pattern 00 bs 32k of dev sda sizeprobe 1073741824 dcfldd pattern 00 bs 32k of dev sdb sizeprobe 2147483648 update manager update manager 33 All Done Shutting Down Raptor As most will agree shutting down a Linux Unix system properly is important In order to do that in Raptor click the Power Button icon in the upper right hand corner of the desktop Tg D 6 53AM 1H About This Computer Selecting Shut Down from the Menu will
37. yourself and become comfortable in the knowledge that Raptor does what it was designed to do How does Raptor Work Raptor is used as a replacement for the operating system that is installed on a computer s hard drive In order to be forensically sound you want to ensure that you do not change the data on the source system hard drive The operating system of the host is not always trustworthy whether it is a Mac OS X Windows another version of Linux or any other PC based operating system Using Raptor s version of Linux to boot the hardware will give you access to the hard drive s within the computer Since Raptor cannot write to the suspect hard drives as configured you can perform your actions with confidence In order to use Raptor you need to ensure that Raptor is the media that is booted during the initial start up of the computer by making sure that either the DVD ROM drive or USB device depending on which medium your copy of Raptor is stored on is selected as the first bootable device Ensure this in PC based computers by accessing and changing the boot priority in the BIOS With non Apple PCs this is accomplished by pushing a button on boot up though the specific button varies by PC manufacturer make and model In order to determine the correct button to push to enter the system s BIOS use a search engine or test on a machine identical to the one you will be using Raptor to image if one is available When using a Mac h
Download Pdf Manuals
Related Search