Introduction to Microsoft Windows Live Forensics Flashcards
There are a number of reasons why the current contents of a live system and its volatile information are of great interest:
- Assistance with static analysis
- Obtain passwords, key material, unencrypted data
- Reconstruct session and application information
- Identify network traffic and applications
In other cases taking down a system is undesirable:
- Forensic investigation may need to be conducted clandestinely
- Mission-critical systems may not be shut down, or downtime must be kept to a minimum
Most applications are not designed to minimise exposure of sensitive data in volatile memory:
- Passwords, cryptographic material but also application data is typically retained
- Even when memory is released, it is typically not overwritten for performance reasons
- Particularly on relatively quiescent systems with large amounts of RAM, this can result in retention of data long after a process has finished
- If such memory is re-used without being zeroed out, other processes may also leak this information
Most straightforward mechanisms for obtaining live memory require some level of operating system support:
- Physical memory access, dumping of memory content
* This typically implies synchronisation or locking, but may not always be feasible or desirable
Live Imaging Techniques - Two key problems are unavoidable in this context:
Volatility: Even if the target system is frozen during a snapshot, some background volatility inevitably remains
Artefacts: The very fact that observations are conducted will result in artefacts
Live Imaging Tool - Networking:
Various network interface activity monitors
Live Imaging Tool - Security:
Access rights checks, local and remote shares and access to these
Live Imaging Tool - Processes:
Real-time DLL, thread and process activity monitoring and dependencies among components
Live Imaging Tool - System Information:
Review Active Directory structures, memory mapping, file handles, live kernel debugging
Live Imaging Tool - File and Disk:
File system activity
Live Imaging Tool - Disk2VHD:
Capture an image and convert it to a virtual drive
Live Imaging Tool - Sysmon:
Allows logging and tracking of process activity
Live Imaging Tool - ProDiscover IR:
Agent running on target system performs low-level capture of RAM and disk content. This accesses the low-level interfaces and does not make use of interpretation layers such as device driver but may still be susceptible to subversion
Live Imaging Tool - EnCase:
OpenTex EnCase are parts of Open Text offerings. Law enforcement modules also capture memory and kernel structures whilst running an agent on local systems
Live Imaging Tool - FTK:
Access Data’ Forensic Toolkit also memory capture using an agent-based architecture
More tools on Windows systems will go through regular APIs:
1) ReadFile
2) Transition to kernel mode, call via KiSystemService
3) Call to NtReadFile, call to I/O subsystem and generation of IRP in the I/O Manager
4) Calls to file system drivers, volume managers
5) Calls to disk drivers, port drivers, miniport drivers
The Blue Screen of Death crash dumps provide valuable information as do applications:
- These also suffer from similar problems as tools for live forensics
- One key issue is that of consistent kernel virtual memory dumps - this is possible only when the system is halted and even then is incomplete
- Tools such as WinDD and Fast Dump Pro can also help, but are rather more crude than the commercial offerings
