XP to Linux Networking

DRobertson

New Linux guy here....

I am taking a computer forensics class and one of my assignments is to network a XP pro box to a Linux (Ubuntu) box and image the entire Linux hard drive.

Using a ethernet crossover cable, I was able to get the 2 machines to ping back and forth (after some trial and error). I also got the Linux box to see the XP C:\ drive and to access files on the XP box. But…I am still fighting to get the XP box to see anything on the Linux box. Because I’m doing a data forensics exercise, I do not want to download any kind of file sharing software on the Linux box. I know I should be able to do this, but I’ve been fighting with this piece of it for the better part of the evening and I’m to the point of asking for advise.

Thanks!

Goineasy9

I've never had the pleasure of having to access XP files from Linux, but, I do believe explore2fs might help. There might be some newer apps that might be useful, but I haven't used XP in a very long time, and, haven't kept up with the newest techniques.

Link:
http://www.chrysocome.net/explore2fs

mfillpot

Getting Linux to speak with and see the files on the windows box was easy because linux system can read windows based filesystems and window XP has a default file share to show the entire system. The issues will will run into when trying to read the Linux system's data are reading the filesystem and being able to actually access the files.

The simplest answer would be to setup an ssh server on the Linux system and use putty from windows to navigate within the filesystem and copy the files to a writable ftp server.

But since the level of difficulty in your forensics projects will vary I would like for you to share how you accomplished communication from Linux to windows and we can recommend a comparative method.

woboyle

Generally, imaging a hard drive means to create a faithful bit-copy of the device, including the boot sector (boot loader and partition table). This requires physical access to the device - you CANNOT do this over a network! If you are considering two systems connected via a network interface, then both systems have to be running, and there has to be some software on the target end (the system you want to image) that will present the device to another on the network. Typically this is via a file system manager, such as Samba, NFS, Andrew, etc.

So, if I were grading your teacher of this class, I would fail them if you have presented your assignment correctly. What I would do is to get an external drive enclosure, remove the Linux drive, install it in the enclosure, connect to Windows, and then use available software to copy the entire physical disc to a compressed file on the Windows hard drive. However, this is usually reverse of what one needs to do in the real world - generally we use Linux systems for forensic analysis of both Windows and Linux systems since the tools are much more powerful, less prone to compromise, and robust for this sort of work. I speak as a professional systems software engineer with 30 years experience in the field.

BTW, mfillpot's suggestion is a good one, with one caveat - this will result in a view of a running system. This can be good, but in any case you want to get the following:

1. A raw disc image dump of the system drive. This will get all files, boot loader, partition table, swap space if on same disc (usually is).
2. A complete memory (RAM) dump.
3. A raw disc image dump of any other drives attached to the system.

As I said, you will have to run software on the target system, which will skew the results since the software required to capture the images will affect those images, especially the memory and swap space dump. The disc image dumps are best captured from a shut-down system. The memory dump requires that the system be running. However, to be complete, you should get disc image dumps from both the running system, as well as when it is shut down. Some system compromises can mask themselves when the system is shut down, and if installed into the kernel can also mask themselves when the system is running as in "oh, someone has mapped RAM and is copying it - I'll remove myself to elsewhere until they are done...". Anyway, good luck with your endeavors in the realm of computer forensic analysis.

mfillpot

Rubberman,
Thank you for the reply it reinforces what I was assuming is the goal. Because the poster stated that they accomplished their goal via a network in getting their windows image I am assuming that he confused terms, but we will see after the next response.