Transcript PPT - theforcenet.ca

Novell Netware
File Recovery and Forensics
What is Netware?
• Novell Netware is a network operating
system that works on LDAP principles to
offer users a robust platform for hosting
files printers and other network related
services.
History of Netware
• Early design in 1983
• Designed to host files to DOS workstations
• First OS to use Network Drive Mapping to local
workstations
• Propriety Designer of the IPX network interface
• Originally manufactured by the SuperSet
Corporation bought by Novell in 1983 to support
a Network OS for the hardware Novell was
making at the time.
Netware Facts
Website:
www.novell.com
Company/
developer:
Novell, Inc.
Source model:
Closed source
Latest stable release:
6.5 SP6 / November 6, 2006
Kernel type:
Hybrid kernel
Default user interface:
CLI
License:
Proprietary
Working state:
Current
Client / Server Interface
• With the introduction of Netware 5 Novell
Offers its users and administrators a never
before seen level of off server
management. Meaning that the majority of
all work can be done without directly
accessing the server through Console1 or
Novell’s imanager software
Who uses Netware?
Who Likes Netware?
Tony Does
Packet Encryption – How off Server
administration works for Forensics
• With Netware’s heavy inclusion of RSA standard
encryption all transmission from the server to the
client (including web clients) is encrypted insuring
secure communication and data continuity
File Recovery
Programs to Use:
- NWFiler (Novell File Utility)
- Kroll Ontrack for Netware
Why not Disk Editor
• Norton Disk Editor was designed for FAT
Partitions, without further testing there's no
evidence to support what disk editor will
do to a NFS
Filer
• On Console or via Network
Salvaging Files
To Recover Files use the
Salvage Deleted Files
Option
To Recover Files
from Directories
that exist in the
File system
To Recover
Deleted
Directories
Enter a Extension or
leave as wildcard
Navigate to the Folder, Only deleted files
and directories will appear in the file
browser
MAC Information
Confirmation
Recovered file is shown in the
original directory
Filer Methodology
• Filer was originally intended to be a file
browser for Netware administrators
• Filer can be used to recover files that have
not been purged from the system (files are
only purged when a administrator purges it
using the “purge” option from the filer
menu
When Files have been Purged
• Kroll On track File
Recovery for Netware
• Must Be installed on Server
– NLM Netware Loadable
module
• Only accessed by the
Server Console or RconsoleJ
(Netware remote console with
imanager)
•Use NetFile Option
Selecting a Volume
File Tree
Supported Recovery Destinations
First Response
Tools to use:
• Novell
Console 1
• Novell Netware Client
• Novell NWADMIN
• Novell Imanager
Items to Record
•
•
•
•
•
•
•
Time
IP / IPX Configuration
Users Connected to the Server
Server Running Processes
MAC Times
Console Commands
Log Files
Time – Console
• To record the time from the system console
simply execute the command “time”
Internet Protocol and IPX
Configuration - Console
• From the server console execute the
command “ipconfig”
Internet Protocol and IPX
Configuration – Remote
• Open Console 1
• Right Click on Server Object
• Under the general – Identification Tab the
IP and IPX address are listed
Users connected to the server –
Client variant
• Novell Send Message
Dialog
To access the send message dialog left
click on the N icon in the windows
taskbar, expand the NetWare utilities
and click the send message to users
menu option
Users Connected to the Server –
imanager variant
• Launch imanager
• Click the connections menu item
Server Running Processes Console
To establish processes or programs running on the Netware
server, first the user should login to the GUI environment on the
server, the open the “remote console program” which simply
provides a GUI version of the console, additionally it provides a
more organized view for the various console functions.
To cycle through the running processes click the screens menu
option, this will illustrate the running programs, also if the examiner
wishes to view the parameters in which the programs are running
simply click on the option under the screens command
Server Running Processes imanager
• Launch imanager
• Choose the “screens”
command from the
menu
• This will display all
applications running
on the server
MAC Times
• Map Volumes to local
drives
• Use DOS command to
view mac times
Console Commands
To view recent commands that
have been accessed on the
server, the GUI Console LOG file
will be used, to access the file
click on the Utilities and “console
log” item from the main menu
The accompanying window will
show all commands executed on
the server
Log Files
• Log’s are stored in the system volume
under the following path
• SYS: JAVA/NWGFX
• Must be logged in as admin to access this
directory
The Lab: Setup
•
•
•
•
•
Groups of 2 or 3
Two computers connected to a switch
One server, one investigative workstation
Static Assigned IP addresses
Server: 172.16.0.6, Workstation:
172.16.0.7 (255.255.0.0)
Computer 1 : Server
• Open the VMWARE image of the server
• Run the VMWARE image of the server
Computer 2: Investigative Machine
Option A
Option B
Install the following:
•Netware Client
•Console 1
Use the Vmware image
Accounts
Tree CSI1
Context: Admin
Server: Theserver
Username: admin
Password: tcpip