Week 4 - Live Data Acquisition - Windows

Question 1

Non Volatile Data Collection from a Live System - Live Disk Imaging

Answer 1

Live Disk Imaging (forensic copy of the suspect’s disk while running) - no write blocker:
- Almost always need admin rights (always from vista upwards)
- Can image full disk or certain partitions
- Possible to crash the system
- Verification via hash functions not usually possible because the disk is running therefore constantly changing
- In windows the physical disks can be accessed through the device by: \.\PhysicalDrive(then the drive number)

Question 2

List Some Tools for Live Disk Imaging (Windows)

Answer 2

• dd (chrysocome)
• FTK Imager (GUI)

-Encase

• Prodiscover IR
• Smart

Question 3

Tools for Live Disk Imaging (Windows) - dd

Answer 3

• DD (Chrysocome)
  DD. Command Line
  Command is dd.exe
  if = the input file
  of = the output file

So an example of full physical disk image (first physical drive on machine) would be:
dd.exe if=\.\PhysicalDrive0 of=image.img

Make sure you always write to external media not suspect device. Make sure it is large enough

Imaging will take a long time. No progress Indicator.

Question 4

Tools for Live Disk Imaging (Windows) - FTK Imager

Answer 4

• FTK imager
• GUI. Easy use / device selection
• Can write output to several formats incl Raw (dd), SMART, E01, AFF. (Always write to external drive)
• more reporting and verification options
• uses \.\PhysicalDrive# to access physical disk (like dd)
• has progress bar
• Lacks flexibility that dd has.
• cannot be scripted like command line tools can

Question 5

Live Disk Imaging - Summary

Answer 5

• It is possible but not always practical. Terabytes of storage changing as you image.
• Not always reliable. Rootkits can detect disk imaging programs and filter out certain / malicious files.
• Only sees the disk! Will not image pseudeo files or virtual file systems that only exist in memory.

A different solution might be forensic file copying.

Question 6

Non Volatile Data Collection from a Live System - Forensic File Copying

Answer 6

Can forensically copy selected data
- Requires less time / storage
- Copies pseudo files
- likely to change timestamps - particularly on the original
- Must know what you want to copy and where it is.

Rootkits still exist that can still alter what is copied, but hatder for a rootkit to distinguish between a legit copy and a forensic copy.

Some malware restricts access to files even from admin. Depends on tool as to if this is a problem.

Question 7

Summary of Tools for Forensic File Copying in windows

Answer 7

• FTK Imager
• Linux utilities ported to Windows also work well like The Sleuth Kit (TSK), tar / cp (standard linux utilities). Can be scripted because they are command line utilities.
• Worst case scenario could use windows explorer to copy /paste files. Justify why. Justify all decsiions / actions.

Key to chosing a tool is to use one that:
-preserves timestamps and contents of the file being copied.
- preserves timetamps and contents of the contents of the source file.
- Has minimal impact on the suspect system (small footprint). Command line tools are small and use little memory

Question 8

Tools for Forensic File Copying in windows - TSK

Answer 8

The Sleuth Kit.
- Open source set of tools for disk analysis
- Supports many common file systems
- Has it’s own system parser - does not need to make calls to the suspect’s machine OS, therefore less vulnerable to malware
- File timestamps are NOT preservesd on the new file, but they are on the original.
- some examples of tools are:

mmls: get info about partitioning / file systems / unallocated space
fsstat: shows file system info
fls: lists allocated and deleted files and inodes
icat: streams file content data (outputs the file contents based on inode number).

Question 9

Tools for Forensic File Copying in windows - tar / cp

Answer 9

These are linux utilities that have been imported to windows.

tar - an archiving program

cp - unix copy program

must make calls to suspect’s OS. More vulnerable to malware

File timestamps can be preserved on the COPY but NOT on original.

A lot of functions. They can be used to send data over a network to another location.

Question 10

Tools for Forensic File Copying in windows - FTK Imager

Answer 10

FTK Imager for forensic file copying

• Has own file system parser. Mostly doesn’t need to make OS calls on suspect machine - less vulnerable to malware

-Can browse directory structure. Nice easy to use GUI.

• Preserves timestamps on BOTH copied and original file
• Simple hashing functionality

Question 11

List some potential non volatile data of interest

Answer 11

Will be case dependent but some are:
- user data

• registry hives. These are a fundemental part of windows OS registry. Contain configuration info for the OS and installed apps such as info about system settings / user preferences & app configuration
• restore points. These are snapshots of your system’s state at a specific point in time.
• prefetch. Performance optimization feature. When you launch a program, windows creates a prefetch file that stores info about the files and resources required. This means necessary data is preloaded into the memory to make starting the application quicker.
• logs. These are records of events created by the OS & various apps. Help track system activites, diagnose issues and monitor security. Log files can be viewed in Event Viewer
• trusted hosts. These are a list of computers that are allowed to connect to your machine using windows remote management (WinRM)

Question 12

Summary of Non Volatile Live Data Acquisition

Answer 12

Will have a big impact on suspect’s system - know tools and their footprint. Will impact the memory and the disk.

2 options for non volatile LDF:

• Live disk imaging. Whole disk or partition
• Forensic file copying