10/13/11

1

Live Acquisition

CSC 486/586

Objectives   Understand what “Live Acquisition” is and when it is

appropriate   Understand the concept of “Order of Volatility”   Understand live acquisition issues and limitations   Be able to perform live acquisition using various tools and

techniques

2

What is “Live Acquisition?”

  Previously, our focus has been on “dead” or “cold” forensics   Capture and analysis of “static state” data stored on digital storage

media, where all captured data is a “snapshot” of the entire media at a single point in time where the data is write protected and/or not changing during acquisition.

  Live Acquisition involves the capture of data from a system that is running when you encounter it.   Capture before you shut it down, or in lieu of shutting it down.   Capture of ever-changing data stored on media or memory, including:

  Data stored on internal or external disks   Data active in memory (RAM)

  Running processes, open network connections/ports, remote and local logged on users, ARP cache, and many other items.

  Write protection of “running” disks not possible with current tools or technology

3

When do we consider doing it?

  Loss of data during shutdown   Pagefile set in registry to wipe at shutdown   “Evidence eliminator” apps that remove data at shutdown   Data not stored on disk (RAM contents, open ports, running

processes, logged on users, etc.)

  Encryption   Full Disk Encryption or open encrypted volumes   Cached passwords/passphrases in RAM???

  Volume of Data   Too much to image everything?   If you don’t need it all…

4

When do we consider doing it?

  Incident Response   Volatile data, lost if you turn off the computer   Suspect processes running only in RAM, not on disk.

  Court or client imposed business interruption restrictions

  Kiosk/Internet Café   Maybe no hard drive, booted by CD and everything is in RAM

  Data in the “Cloud”   Discuss with your attorney if not a consent or client/

consultant situation!

5

The Order of Volatility   The Order of Volatility is a concept, not a formal list or

specific order you must follow.   All data is volatile.   Certain types of data are more persistent (longer-lasting)

than others.   Registers, caches, etc.: nanoseconds   RAM contents: nanoseconds   Network state (active/listening connections): miliseconds   Running processes: seconds   Disk contents: minutes   Backup disks/storage: years

  Every process you do to capture or view a piece of data, modifies other pieces of system data in the process.

6

10/13/11

2

Order of Volatility   Capturing RAM will take time to complete, and during that

time, other useful information such as running processes, open files, network connections, will likely have changed or disappeared.

  While overall memory is continuously changing, on a new system with a large amount of RAM, many memory pages may linger for considerable time without being overwritten.

  There is no absolute step-by-step order in which you should capture volatile data…every case is different!

  The examiner must be aware of the overall context of the investigation in order to make informed decisions on the order of evidence acquisition, based on what information is most important to them in this case.

7

Issues and Limitations

8

Issues and Limitations   The computer is running, everything you do modifies the

system in some way.   The more you do, the more you modify. Only do what is necessary.

  Your process should be reproducible, but the results of your capture will likely not be reproducible. The state of the system and live data will never again be exactly the same as it was when you captured it.

  Pre-acquisition hash values of disks or partitions that are changing during acquisition will not verify against a hash of the captured data and are therefore not appropriate.   Pre-acquisition hashes of individual files or any other data that is not

changing during the live acquisition process will verify against hashes of the acquired data, and are therefore appropriate to utilize.

  Post-acquisition hashes are still appropriate to later authenticate that copies of your “original” captured data is identical.

9

Issues and Limitations   Not all tools are created equal! Many tools were not

designed for “live response” but are often used as such and have a much larger system footprint than you might like.   Typically, the smaller the memory footprint, the better.

  Can you really testify about what your live processes touched?   Do all tools/methods touch the same memory addresses?   What do they overwrite when you run them?   How do you know? Did you perform comparison test of your

tools using memory reading/debugging tools?

10

Issues and Limitations   Imaging a running hard disk?

  You will get a “smear” image!   If you need to “boot” a restored version of an image, a “smear”

may not boot!

11

Issues and Limitations   Be aware of your capture tool’s shortcomings.

  Does it capture NTFS or other file system unique attributes?   What happens if the image/archive get’s corrupted (bad

sector), is it recoverable?   Does it preserve all file system dates/times? Or modify them in

the acquisition process?   How is the compression/speed when acquiring? How long will

this take?

12

10/13/11

3

Issues and Limitations   What tool(s) will you use to analyze the data you

capture?   RAM analysis tools are new and developing, but far from

refined.   Much data is not in plain ASCII text format. Will you be able to

search or decipher the captured live data?

  Most everything (process list, open ports, etc.) will be included in a RAM image, but parsing out this info in a usable format may be difficult or impossible with current tools.   Capture of items like process lists, open ports, etc. using

Sysinternals tools (or other) may be a better option.

13

Tools & Techniques   Local Data Collection

  Physical access to subject computer   Portable tools run locally

  Forensic disk imaging   Archiving, backup, logical copying   Volatile data capturing

  Data captured onto locally attached disk (USB, IEEE1394, etc.)

  Network Data Collection   Pre-installed on network computers   On-the-fly options (push remote agent)   Run tool locally & push result to other machine on the network via

netcat or similar   External network scan of subject computer

14

  Many tools require “Administrative” or elevated permissions to run and access various “protected” system information.

  Console may be locked.   Remote network collection of data may be possible.

  Limited options in an adversarial situation without Administrator cooperation.

Physical Access

15

  Run from a disk you introduce to the running system (i.e. CD/DVD/USB/IEEE1394/SATA/etc.)

  When possible, always use your own trusted tools and/or binaries. Do not rely on the soundness of built-in OS tools or those pre-installed on a subject computer, especially in potentially compromised systems (i.e. incident response).

Portable Tools

16

Trusted Binaries

17

Trusted Binaries   Example: command.com edited with a HEX editor to

“swap” DIR and DEL commands.

18

10/13/11

4

Trusted Binaries   Some of your standard tools will run on a variety of OSs

  For example, FTK Imager Lite runs on most “live” Windows versions.

  Many OS component tools (i.e. netstat, nbtstat, ipconfig, etc.) are OS version dependant and you must have trusted versions of any such tools for all the OS versions you will encounter.

19

Trusted Binaries

20

Disk Imaging

21

Archiving, Backup, Logical Copying

22

 RAM, Process and system info collection

23

Volatile Data Collection RAM, Process & system info   Automated tool kits

  Windows Forensics Toolchest (WFT)   Incident Response Collection Report (IRCR)   First Responders Evidence Disk (FRED)   Computer Online Forensic Evidence Extractor (COFEE)

  Sysinternals Suite   http://technet.microsoft.com/en-us/sysinternals/default.aspx   Many Sysinternals tools are used in the above “automated” tool kits.

  Standard OS commands (your own binaries)   X-Ways Capture   RAM capture: WinEn, dd, Nigilant32, FTK Imager, WinHex/

XWF, and many more…

24

10/13/11

5

Network Data Collection

25

Network Data Collection   Pre-installed or ability to “push” remote agent to subject

machine with Admin permissions.   Most remote agents can be installed/pushed in normal or

stealth modes to avoid detection.   Tools:

  OnlineDFS   EnCase Enterprise (or FIM)   AccessData Enterprise   ProDiscover-IR   F-Response   Several others…

26

NetCat

27

Network Scans

28

Results without Admin credentials Results with Admin credentials

Network Scans   Results affected by Firewall or other IDS/IPS protection.   Results affected by user credentials utilized to perform

scan.   Only scans and reports on the items you specify in your

scanning tool’s profile.   Exhaustive scanning profiles can take significant time.

29

For those really adventurous and not afraid of electricity…

10/13/11

6

Wiebetech Hot Plug   Physical seizure without

shutdown???   Take it back to your office to

work on it.   http://www.wiebetech.com/

products/HotPlug.php   Keep system console from

locking or hibernating with “Mouse Jiggler”

  http://www.youtube.com/watch?v=erq4TO_a3z8

  http://www.youtube.com/watch?v=-G8sEYCOv-o&feature=related

31

Questions???   Use the discussion board, as usual…