NAS Forensics Explained

Oleg Afonin, Danil Nikolaev, Yuri Gubanov © Belkasoft Research

Network Attached Storage (NAS) have a long track history of corporate deployments. Their scaled-down versions (ranging from single-bay to four-drive enclosures) are frequently used at homes and in the offices. These smaller-size appliances are often called “personal clouds” for providing some parts of functionality of online cloud services.

More and more people prefer using their laptop computers at home instead of a full-size desktop. As many laptops are equipped with relatively small, non-expandable storage, NAS becomes an obvious and convenient way to increase available storage. In home environments, NAS storage are often used for keeping backups and/or storing large amounts of multimedia data such as videos, music and pictures, often including illicit materials. Due to the sheer size of these storage devices and their rapidly increasing popularity with home users, NAS forensics becomes increasingly important.

When acquiring information from the suspect’s computer, investigators often face a challenge of extracting information also from all external storage devices. Why is NAS acquisition a challenge, and what can be done to overcome it?

Read other Belkasoft articles

NAS and External Enclosures

First and foremost, let us rule out one question: what is the difference between a single-bay NAS and a hard drive enclosure? Hard drive enclosures such as WD Passport, Seagate Expansion or Toshiba STOR and Canvio series are just that: 2.5” hard drives enclosed into a slim shell with one or more outputs allowing users to hot-plug these devices to their computers. USB is the most common connection used in these devices, but eSATA, FireWire and even wireless connectivity options are not uncommon. However, as these drives are connected directly to the computer, and that computer is most probably going to be a Windows PC, external hard drives are commonly formatted with either NTFS (mostly) or FAT32 (in rare cases, as FAT32 imposes a 4GB limitation on the maximum file size).

As a result, acquiring external hard drives is relatively easy and not different at all from acquiring a built-in hard drive.

NAS storage systems, on the other hand, are computer devices running an operating system of their own. There is no option for outside low-level access to the hard drive(s) used inside a NAS unit. Instead, the internal operating system manages all reads and writes, only allowing users to access information stored on its hard drives via a network share (SMB and DLNA are the most common communication protocols supported by NAS drives).

Please register to access full versions of Belkasoft articles

Oleg Afonin, Danil Nikolaev, Yuri Gubanov © Belkasoft Research