Encase Acquiring the Netware Image from DOS bootable disk Introduction
This paper will introduce users to the challenges and problems associated with advanced forensics investigations on Novell Netware servers and will acquaint users with the need for a greater understanding in the industry on the Novell Netware platform. During the research portion of this article several different tactics and forensics programs were tested in an attempt to provide some type of advanced investigation catalyst for Novell Netware.
Encase 5
All of encases features and advertisements indicated that support for Novell maybe possible, and during the acquisition of the file from the DOS bootable version of encase, the program did indeed show the format of the Netware partition as NETWARE31, indicating some native support for the Netware file system, however when imported into the encase 5 program there was no way of browsing through the files located on the server, therefore unable to complete the investigation.
Encase Acquiring the Netware Image from DOS bootable disk
Drives Imported into Encase
Search Box is grayed, no file listing
Upon further investigation it is discovered that Novell file systems are not supported on encase
Netware Not Supported
FTK: Forensics Toolkit
FTK (the latest version at the time of this publication 1.70.1) fared slightly better then the encase system when presented with the same image, the ftk program regonized both partitions the first being the DOS bootable partion the second being the Netware file system
Evidence Partition summery in FTK
The FTK program then scanned the image for questionable files
However it quickly became apparent that FTK would not be scanning the Novell partition, and was only scanning the bootable C Drive of the system
FTK Explore Dialog, indicating the “unknown” Netware file system
Both of the main forensics suites (encase and FTK) were unable to properly investigate a Netware image, therefore it is necessary to use certified Novell programs like the filer and on track to properly investigate the server, although FTK did properly identify and catalog the operating system partition of the server, this is of little use as this partition isn’t directly accessible to the Netware users.
