Live Acquisition

Report
Live Acquisition
CSC 486/586
Objectives
Understand what “Live Acquisition” is and when it is
appropriate
Understand the concept of “Order of Volatility”
Understand live acquisition issues and limitations
Be able to perform live acquisition using various tools and
techniques




2
What is “Live Acquisition?”
Previously, our focus has been on “dead” or “cold” forensics


Capture and analysis of “static state” data stored on digital storage
media, where all captured data is a “snapshot” of the entire media at
a single point in time where the data is write protected and/or not
changing during acquisition.
Live Acquisition involves the capture of data from a system
that is running when you encounter it.



Capture before you shut it down, or in lieu of shutting it down.
Capture of ever-changing data stored on media or memory, including:


Data stored on internal or external disks
Data active in memory (RAM)


3
Running processes, open network connections/ports, remote and local logged
on users, ARP cache, and many other items.
Write protection of “running” disks not possible with current tools
or technology
When do we consider doing it?
Loss of data during shutdown




Pagefile set in registry to wipe at shutdown
“Evidence eliminator” apps that remove data at shutdown
Data not stored on disk (RAM contents, open ports, running
processes, logged on users, etc.)
Encryption



Full Disk Encryption or open encrypted volumes
Cached passwords/passphrases in RAM???
Volume of Data



4
Too much to image everything?
If you don’t need it all…
When do we consider doing it?
Incident Response



Volatile data, lost if you turn off the computer
Suspect processes running only in RAM, not on disk.
Court or client imposed business interruption
restrictions
Kiosk/Internet Café



Maybe no hard drive, booted by CD and everything is in RAM
Data in the “Cloud”


5
Discuss with your attorney if not a consent or
client/consultant situation!
The Order of Volatility
The Order of Volatility is a concept, not a formal list or
specific order you must follow.
All data is volatile.
Certain types of data are more persistent (longer-lasting)
than others.









Registers, caches, etc.: nanoseconds
RAM contents: nanoseconds
Network state (active/listening connections): miliseconds
Running processes: seconds
Disk contents: minutes
Backup disks/storage: years
Every process you do to capture or view a piece of data,
modifies other pieces of system data in the process.

6
Order of Volatility
Capturing RAM will take time to complete, and during that
time, other useful information such as running processes, open
files, network connections, will likely have changed or
disappeared.
While overall memory is continuously changing, on a new
system with a large amount of RAM, many memory pages may
linger for considerable time without being overwritten.
There is no absolute step-by-step order in which you should
capture volatile data…every case is different!
The examiner must be aware of the overall context of the
investigation in order to make informed decisions on the
order of evidence acquisition, based on what information is
most important to them in this case.




7
Issues and Limitations
8
Issues and Limitations
The computer is running, everything you do modifies the
system in some way.


The more you do, the more you modify. Only do what is necessary.
Your process should be reproducible, but the results of your
capture will likely not be reproducible. The state of the system
and live data will never again be exactly the same as it was
when you captured it.
Pre-acquisition hash values of disks or partitions that are
changing during acquisition will not verify against a hash of the
captured data and are therefore not appropriate.




9
Pre-acquisition hashes of individual files or any other data that is not
changing during the live acquisition process will verify against hashes
of the acquired data, and are therefore appropriate to utilize.
Post-acquisition hashes are still appropriate to later authenticate that
copies of your “original” captured data is identical.
Issues and Limitations

Not all tools are created equal! Many tools were not
designed for “live response” but are often used as such
and have a much larger system footprint than you might
like.


Typically, the smaller the memory footprint, the better.
Can you really testify about what your live processes
touched?



10
Do all tools/methods touch the same memory addresses?
What do they overwrite when you run them?
How do you know? Did you perform comparison test of your
tools using memory reading/debugging tools?
Issues and Limitations

Imaging a running hard disk?


11
You will get a “smear” image!
If you need to “boot” a restored version of an image, a “smear”
may not boot!
Issues and Limitations

Be aware of your capture tool’s shortcomings.




12
Does it capture NTFS or other file system unique attributes?
What happens if the image/archive get’s corrupted (bad
sector), is it recoverable?
Does it preserve all file system dates/times? Or modify them in
the acquisition process?
How is the compression/speed when acquiring? How long will
this take?
Issues and Limitations

What tool(s) will you use to analyze the data you
capture?



RAM analysis tools are new and developing, but far from
refined.
Much data is not in plain ASCII text format. Will you be able to
search or decipher the captured live data?
Most everything (process list, open ports, etc.) will be
included in a RAM image, but parsing out this info in a
usable format may be difficult or impossible with current
tools.

13
Capture of items like process lists, open ports, etc. using
Sysinternals tools (or other) may be a better option.
Tools & Techniques

Local Data Collection


Physical access to subject computer
Portable tools run locally





Forensic disk imaging
Archiving, backup, logical copying
Volatile data capturing
Data captured onto locally attached disk (USB, IEEE1394, etc.)
Network Data Collection




14
Pre-installed on network computers
On-the-fly options (push remote agent)
Run tool locally & push result to other machine on the network via
netcat or similar
External network scan of subject computer
Physical Access


Many tools require “Administrative” or elevated
permissions to run and access various “protected” system
information.
Console may be locked.


Remote network collection of data may be possible.
Limited options in an adversarial situation without
Administrator cooperation.
15
Portable Tools


Run from a disk you introduce to the running system (i.e.
CD/DVD/USB/IEEE1394/SATA/etc.)
When possible, always use your own trusted tools and/or
binaries. Do not rely on the soundness of built-in OS
tools or those pre-installed on a subject computer,
especially in potentially compromised systems (i.e.
incident response).
16
Trusted Binaries
17
Trusted Binaries

Example: command.com edited with a HEX editor to
“swap” DIR and DEL commands.
18
Trusted Binaries

Some of your standard tools will run on a variety of OSs


For example, FTK Imager Lite runs on most “live” Windows
versions.
Many OS component tools (i.e. netstat, nbtstat, ipconfig,
etc.) are OS version dependant and you must have
trusted versions of any such tools for all the OS versions
you will encounter.
19
Trusted Binaries
20
Disk Imaging
21
Archiving, Backup, Logical Copying
22
Volatile Data Collection
 RAM, Process
23
and system info collection
RAM, Process & system info

Automated tool kits





Sysinternals Suite





Windows Forensics Toolchest (WFT)
Incident Response Collection Report (IRCR)
First Responders Evidence Disk (FRED)
Computer Online Forensic Evidence Extractor (COFEE)
http://technet.microsoft.com/en-us/sysinternals/default.aspx
Many Sysinternals tools are used in the above “automated” tool kits.
Standard OS commands (your own binaries)
X-Ways Capture
RAM capture:WinEn, dd, Nigilant32, FTK Imager,
WinHex/XWF, and many more…
24
Network Data Collection
25
Network Data Collection



Pre-installed or ability to “push” remote agent to subject
machine with Admin permissions.
Most remote agents can be installed/pushed in normal or
stealth modes to avoid detection.
Tools:






26
OnlineDFS
EnCase Enterprise (or FIM)
AccessData Enterprise
ProDiscover-IR
F-Response
Several others…
NetCat
27
Network Scans
Results without Admin credentials
28
Results with Admin credentials
Network Scans



Results affected by Firewall or other IDS/IPS protection.
Results affected by user credentials utilized to perform
scan.
Only scans and reports on the items you specify in your
scanning tool’s profile.

29
Exhaustive scanning profiles can take significant time.
For those really adventurous and not afraid
of electricity…
Wiebetech Hot Plug






Physical seizure without
shutdown???
Take it back to your office to
work on it.
http://www.wiebetech.com/prod
ucts/HotPlug.php
Keep system console from
locking or hibernating with
“Mouse Jiggler”
http://www.youtube.com/watch?v=erq
4TO_a3z8
http://www.youtube.com/watch?v=G8sEYCOv-o&feature=related
31
Questions???

Use the discussion board, as usual…

similar documents