Introduction to Microsoft Windows Live Forensics

Question 1

There are a number of reasons why the current contents of a live system and its volatile information are of great interest:

Answer 1

• Assistance with static analysis
• Obtain passwords, key material, unencrypted data
• Reconstruct session and application information
• Identify network traffic and applications

Question 2

In other cases taking down a system is undesirable:

Answer 2

• Forensic investigation may need to be conducted clandestinely
• Mission-critical systems may not be shut down, or downtime must be kept to a minimum

Question 3

Most applications are not designed to minimise exposure of sensitive data in volatile memory:

Answer 3

• Passwords, cryptographic material but also application data is typically retained
• Even when memory is released, it is typically not overwritten for performance reasons
• Particularly on relatively quiescent systems with large amounts of RAM, this can result in retention of data long after a process has finished
• If such memory is re-used without being zeroed out, other processes may also leak this information

Question 4

Most straightforward mechanisms for obtaining live memory require some level of operating system support:

Answer 4

• Physical memory access, dumping of memory content

* This typically implies synchronisation or locking, but may not always be feasible or desirable

Question 5

Live Imaging Techniques - Two key problems are unavoidable in this context:

Answer 5

Volatility: Even if the target system is frozen during a snapshot, some background volatility inevitably remains
Artefacts: The very fact that observations are conducted will result in artefacts

Question 6

Live Imaging Tool - Networking:

Answer 6

Various network interface activity monitors

Question 7

Live Imaging Tool - Security:

Answer 7

Access rights checks, local and remote shares and access to these

Question 8

Live Imaging Tool - Processes:

Answer 8

Real-time DLL, thread and process activity monitoring and dependencies among components

Question 9

Live Imaging Tool - System Information:

Answer 9

Review Active Directory structures, memory mapping, file handles, live kernel debugging

Question 10

Live Imaging Tool - File and Disk:

Answer 10

File system activity

Question 11

Live Imaging Tool - Disk2VHD:

Answer 11

Capture an image and convert it to a virtual drive

Question 12

Live Imaging Tool - Sysmon:

Answer 12

Allows logging and tracking of process activity

Question 13

Live Imaging Tool - ProDiscover IR:

Answer 13

Agent running on target system performs low-level capture of RAM and disk content. This accesses the low-level interfaces and does not make use of interpretation layers such as device driver but may still be susceptible to subversion

Question 14

Live Imaging Tool - EnCase:

Answer 14

OpenTex EnCase are parts of Open Text offerings. Law enforcement modules also capture memory and kernel structures whilst running an agent on local systems

Question 15

Live Imaging Tool - FTK:

Answer 15

Access Data’ Forensic Toolkit also memory capture using an agent-based architecture

Question 16

More tools on Windows systems will go through regular APIs:

Answer 16

1) ReadFile
2) Transition to kernel mode, call via KiSystemService
3) Call to NtReadFile, call to I/O subsystem and generation of IRP in the I/O Manager
4) Calls to file system drivers, volume managers
5) Calls to disk drivers, port drivers, miniport drivers

Question 17

The Blue Screen of Death crash dumps provide valuable information as do applications:

Answer 17

• These also suffer from similar problems as tools for live forensics
• One key issue is that of consistent kernel virtual memory dumps - this is possible only when the system is halted and even then is incomplete
• Tools such as WinDD and Fast Dump Pro can also help, but are rather more crude than the commercial offerings