Professional Documents
Culture Documents
• Host systems are far too often the target of malicious actions. Commonly
available systems are routinely manufactured with extensive memory and
storage terabytes; there is a great deal of data that could assist incident
responders with determining a root cause analysis.
• As a result, incident response analyst should be prepared to investigate
these systems for further analysis.
• Preparation: In terms of preparation, incident response analysts should
have the necessary tools at their disposal for acquiring host-based
evidence.
• The techniques discussed within this chapter do not rely on any highly-
specialized technology, but rather on tools that can be acquired for
little or no cost.
• When supporting an enterprise environment, it is a good idea that incident
response personnel have a solid understanding of the types of systems
commonly deployed. For example, in an enterprise that utilizes strictly
Microsoft operating systems, the tools available should have the ability to
support the wide range of versions of the Microsoft OS.
e) Unplug the power from the back of the system. In the event that the system is a
laptop, remove the battery as well. This preserves the state of the system.
f) Photograph the back or bottom of the system to capture the model
and serial number. This procedure allows the incident response analyst
to capture information necessary for the chain of custody.
G) Remove the cover to the system and photograph the hard drive to
capture the model and serial number. Again, this aids in the
reconstruction of the chain of custody.
h) Remove the hard drive from the system and package it in an anti-
static bag. Secure the drive in a sealable envelope or box. Anti-static
bags will protect the hard drive and the packaging should be such that
any attempt to open it will be evident.
Memory acquisition
• Traditional digital forensics or what is often referred to now as dead box
forensics has focused on the hard disk drive taken from a shut down system as
the primary source of evidence. This approach works well when addressing
criminal activity such as fraud or child exploitation where image files, word
processing documents, and spreadsheets can be discovered in a forensically
sound manner.
• As opposed to traditional criminal activity, incident responders will find that a
great deal of evidence of a security incident is contained within the memory of a
potentially compromised system. This is especially true when examining systems
that have been infected with malware or exploited utilizing a common platform
such as metasploit.
• Trace evidence is often found within the memory of the compromised system. As
a result, it is critical before powering down the system and removing the hard
drive that the running memory is acquired for processing.
• Two popular frameworks for analysis of memory images are Rekall and Volatility.
Both of these frameworks allow for detailed analysis of memory images.
Local acquisition
• If an incident response analyst has physical access to a potentially
compromised system, they have the option of acquiring the memory
and other evidence locally. This involves the use of tools run from a
USB device or other similar removable medium that is connected to
the potentially compromised system.
• From there, the tools are run and the evidence is collected. Local
acquisition is often conducted in conjunction with seizing the hard
drive and other evidence from the system.
• There are several tools that are available for local acquisition. For the
purposes of this book, two such tools, Access Data's FTK Imager and
WinPmem will be discussed.
FTK Imager
• Access Data's FTK Imager is a Windows software platform that
performs a variety of imaging tasks including acquiring the running
memory of a system. The software can be downloaded at
http://accessdata.com/product-download/digital-forensics/ftk-im
ager-version-3.4.3.
• Once downloaded, install the executable in the Tools partition of the
USB drive. Open the FTK Imager folder and run the executable as
administrator. The following window will appear:
• Browse to the Evidence partition of the USB drive attached to the system
and provide a name for the capture file. This name should be a unique
identifier such as Laptop1 or Evidence Item 1. Also check Include pagefile
checkbox. There may not be information of evidentiary value within the
pagefile, but it may become important later on (the pagefile will be
discussed later on in the analysis chapter).
• Finally, there is the option to create an AD1 file that is Access Data's
proprietary file format. This file is for the analysis of this image using the
FTK analysis program. For the purposes of this book, the standard output is
sufficient for the analysis that will be performed. Once the configurations
are set, click on
Capture Memory:
winpmem
• To acquire the physical memory of the target system, open up a
Windows Command Prompt as an administrator. Typing D:\
winpmem-2.1.exe -h will produce the following
winpmem
• Next, configure Winpmem to acquire the memory of the system by typing
the following:
• D:\winpmem-2.1.exe --format raw -o e:\Laptop1
• This command tells WinPmem to acquire the raw memory and output it to a
folder created on the evidence partition of the USB drive in use. The
command will produce the following:
winpmem
• At the conclusion, a review of the output file reveals that the entire
physical memory is contained within a single file along with others as
part of the AFF4 file container:
Remote acquisition
• The preferred method for the acquisition of memory is through direct
contact with the suspect system. This allows for adaptability by incident
response analysts in the event that a tool or technique does not work.
• This method is also faster at obtaining the necessary files,
as it does not depend on a stable network connection. Although this is
the preferred method, there may be geographical constraints, especially
with larger organizations where the incident response analysts are a
plane ride away from the location containing the evidence.
• The preceding command directs the system to perform the capture and
send the output via Netcat to the incident response analyst workstation
over port 4455. The drawback to this technique is that it requires access to
the Command Prompt as well as the installation of both NetCat and
WinPmem.
Virtual machines
• Other systems that incident response analysts should prepare to
acquire are virtual machines. The one distinct advantage that virtual
systems have over physical systems is their ability to maintain the
current state through either performing a snapshot of the system or
through simply pausing.
• This allows incident response analysts to simply copy the entire file
over to an evidence drive for later analysis. It is recommended that
analysts ensure that they conduct a hash of the virtual machine pre
and post copy to ensure the integrity of the evidence.
•
• In certain circumstances, incident responders may want to acquire two key
pieces of data from suspected compromised systems before shutting down
a running system. While not volatile in nature, the registry keys and log
files can aid analysts during their investigation.
• In the event that analysts have access to the system, they can utilize the
command line to access the log files by running the following command:
C:\wevtutil epl<Log Type> E:\<FileName>.evtx
This command can be repeated for security, application, and system logs.