Live Acquisition CSC 486/586.

Slides:



Advertisements
Similar presentations
Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006.
Advertisements

Follow the instruction to install the PC Suite from the SD card: 1.Go to the settings -> SD Card & phone storage -> Enable the mass storage only mode 2.Connect.
Copyright © 2003 Pearson Education, Inc. Slide 9-1.
1 All Powder Board and Ski Microsoft Access Workbook Chapter 10: Database Administration Jerry Post Copyright © 2007.
Microsoft Office 2010 Basics and the Internet
Our Digital World Second Edition
The Modern Control Boot Disk. 2 What do we mean by a Modern control boot disk? In your previous lectures you learned about the original DOS control boot.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 4: Organizing a Disk for Data.
Troubleshooting Startup Problems
Chapter 5 Computing Components.
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Suite Suite 2 TPF Software – Overview Binary Editor Remote Scripts zTREX Add-Ins & Project Integration with Source Control Manager.
Chapter 5 Computing Components. 5-2 Chapter Goals Read an ad for a computer and understand the jargon List the components and their function in a von.
© 2009 VMware Inc. All rights reserved View Pool Image Configuration Considerations for Gold Images around Application virtualization and performance.
Chapter 11: The X Window System Guide To UNIX Using Linux Third Edition.
Executional Architecture
Install Window XP. Begin the Installation 1. Insert the Windows XP CD and restart your computer. 2. If prompted to start from the CD, press SPACEBAR.
Install Windows XP. The minimum hardware requirements for Windows XP are: Pentium 233-megahertz (MHz) processor or faster (300 MHz is recommended) At.
Services Course Windows Live SkyDrive Participant Guide.
A lesson approach © 2011 The McGraw-Hill Companies, Inc. All rights reserved. a lesson approach Microsoft® PowerPoint 2010 © 2011 The McGraw-Hill Companies,
Installing Windows XP Professional Using Attended Installation Slide 1 of 30Session 8 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
TCP/IP Protocol Suite 1 Chapter 18 Upon completion you will be able to: Remote Login: Telnet Understand how TELNET works Understand the role of NVT in.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
COEN 250 Computer Forensics Windows Life Analysis.
Guide to Computer Forensics and Investigations Fourth Edition
Configuring Windows Vista Security Chapter 3. IE7 Pop-up Blocker Pop-up Blocker prevents annoying and sometimes unsafe pop-ups from web sites Can block.
Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Third Edition
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 2: Managing Hardware Devices.
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
Data Acquisition Chao-Hsien Chu, Ph.D.
COEN 252 Computer Forensics
NovaBACKUP 10 xSP Technical Training By: Nathan Fouarge
Capturing Computer Evidence Extracting Information.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.
Hands-on: Capturing an Image with AccessData FTK Imager
Guide to Computer Forensics and Investigations, Second Edition Chapter 9 Data Acquisition.
Guide to Computer Forensics and Investigations Fourth Edition
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
Damien Leake. Definition To examine digital media to identify and analyze information so that it can be used as evidence in court cases Involves many.
Tutorial 11 Installing, Updating, and Configuring Software
Chapter 9 Computer Forensics Analysis and Validation Guide to Computer Forensics and Investigations Fourth Edition.
Chapter Fourteen Windows XP Professional Fault Tolerance.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Chapter 18: Windows Server 2008 R2 and Active Directory Backup and Maintenance BAI617.
Troubleshooting Windows Vista Security Chapter 4.
Data Recovery Techniques Florida State University CIS 4360 – Computer Security Fall 2006 December 6, 2006 Matthew Alberti Horacesio Carmichael.
COEN 250 Computer Forensics Windows Life Analysis.
Guide to Computer Forensics and Investigations Fourth Edition
Chapter 9 Computer Forensics Analysis and Validation Guide to Computer Forensics and Investigations Fourth Edition.
Module 3 Configuring File Access and Printers on Windows ® 7 Clients.
Configuring Data Protection Chapter 12 powered by dj.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.
Module 3 Configuring File Access and Printers on Windows 7 Clients.
Remote Forensic Tools --- PDIR and EEE Tool review - remote forensic preservation and examination tools Editor : Eoghan Casey, Aaron Stanley Source : Digital.
COEN 250 Computer Forensics Windows Life Analysis.
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
IT1001 – Personal Computer Hardware & system Operations Week7- Introduction to backup & restore tools Introduction to user account with access rights.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #8 File Systems September 22, 2008.
Chapter 8 Forensic Duplication Spring Incident Response & Computer Forensics.
By the end of this lesson you will be able to explain: 1. Identify the support categories for reported computer problems 2. Use Remote Assistance to connect.
Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.
By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.
Data Acquisition Chao-Hsien Chu, Ph.D.
CONFIGURING HARDWARE DEVICE & START UP PROCESS
CHFI & Digital Forensics [Part.1] - Basics & FTK Imager
COMP1321 Digital Infrastructures
Presentation transcript:

Live Acquisition CSC 486/586

Objectives Understand what “Live Acquisition” is and when it is appropriate Understand the concept of “Order of Volatility” Understand live acquisition issues and limitations Be able to perform live acquisition using various tools and techniques

What is “Live Acquisition?” Previously, our focus has been on “dead” or “cold” forensics Capture and analysis of “static state” data stored on digital storage media, where all captured data is a “snapshot” of the entire media at a single point in time where the data is write protected and/or not changing during acquisition. Live Acquisition involves the capture of data from a system that is running when you encounter it. Capture before you shut it down, or in lieu of shutting it down. Capture of ever-changing data stored on media or memory, including: Data stored on internal or external disks Data active in memory (RAM) Running processes, open network connections/ports, remote and local logged on users, ARP cache, and many other items. Write protection of “running” disks not possible with current tools or technology

When do we consider doing it? Loss of data during shutdown Pagefile set in registry to wipe at shutdown “Evidence eliminator” apps that remove data at shutdown Data not stored on disk (RAM contents, open ports, running processes, logged on users, etc.) Encryption Full Disk Encryption or open encrypted volumes Cached passwords/passphrases in RAM??? Volume of Data Too much to image everything? If you don’t need it all…

When do we consider doing it? Incident Response Volatile data, lost if you turn off the computer Suspect processes running only in RAM, not on disk. Court or client imposed business interruption restrictions Kiosk/Internet Café Maybe no hard drive, booted by CD and everything is in RAM Data in the “Cloud” Discuss with your attorney if not a consent or client/consultant situation!

The Order of Volatility The Order of Volatility is a concept, not a formal list or specific order you must follow. All data is volatile. Certain types of data are more persistent (longer-lasting) than others. Registers, caches, etc.: nanoseconds RAM contents: nanoseconds Network state (active/listening connections): miliseconds Running processes: seconds Disk contents: minutes Backup disks/storage: years Every process you do to capture or view a piece of data, modifies other pieces of system data in the process.

Order of Volatility Capturing RAM will take time to complete, and during that time, other useful information such as running processes, open files, network connections, will likely have changed or disappeared. While overall memory is continuously changing, on a new system with a large amount of RAM, many memory pages may linger for considerable time without being overwritten. There is no absolute step-by-step order in which you should capture volatile data…every case is different! The examiner must be aware of the overall context of the investigation in order to make informed decisions on the order of evidence acquisition, based on what information is most important to them in this case.

Issues and Limitations

Issues and Limitations The computer is running, everything you do modifies the system in some way. The more you do, the more you modify. Only do what is necessary. Your process should be reproducible, but the results of your capture will likely not be reproducible. The state of the system and live data will never again be exactly the same as it was when you captured it. Pre-acquisition hash values of disks or partitions that are changing during acquisition will not verify against a hash of the captured data and are therefore not appropriate. Pre-acquisition hashes of individual files or any other data that is not changing during the live acquisition process will verify against hashes of the acquired data, and are therefore appropriate to utilize. Post-acquisition hashes are still appropriate to later authenticate that copies of your “original” captured data is identical.

Issues and Limitations Not all tools are created equal! Many tools were not designed for “live response” but are often used as such and have a much larger system footprint than you might like. Typically, the smaller the memory footprint, the better. Can you really testify about what your live processes touched? Do all tools/methods touch the same memory addresses? What do they overwrite when you run them? How do you know? Did you perform comparison test of your tools using memory reading/debugging tools?

Issues and Limitations Imaging a running hard disk? You will get a “smear” image! If you need to “boot” a restored version of an image, a “smear” may not boot!

Issues and Limitations Be aware of your capture tool’s shortcomings. Does it capture NTFS or other file system unique attributes? What happens if the image/archive get’s corrupted (bad sector), is it recoverable? Does it preserve all file system dates/times? Or modify them in the acquisition process? How is the compression/speed when acquiring? How long will this take?

Issues and Limitations What tool(s) will you use to analyze the data you capture? RAM analysis tools are new and developing, but far from refined. Much data is not in plain ASCII text format. Will you be able to search or decipher the captured live data? Most everything (process list, open ports, etc.) will be included in a RAM image, but parsing out this info in a usable format may be difficult or impossible with current tools. Capture of items like process lists, open ports, etc. using Sysinternals tools (or other) may be a better option.

Tools & Techniques Local Data Collection Network Data Collection Physical access to subject computer Portable tools run locally Forensic disk imaging Archiving, backup, logical copying Volatile data capturing Data captured onto locally attached disk (USB, IEEE1394, etc.) Network Data Collection Pre-installed on network computers On-the-fly options (push remote agent) Run tool locally & push result to other machine on the network via netcat or similar External network scan of subject computer

Physical Access Many tools require “Administrative” or elevated permissions to run and access various “protected” system information. Console may be locked. Remote network collection of data may be possible. Limited options in an adversarial situation without Administrator cooperation.

Portable Tools Run from a disk you introduce to the running system (i.e. CD/DVD/USB/IEEE1394/SATA/etc.) When possible, always use your own trusted tools and/or binaries. Do not rely on the soundness of built-in OS tools or those pre-installed on a subject computer, especially in potentially compromised systems (i.e. incident response).

Trusted Binaries

Trusted Binaries Example: command.com edited with a HEX editor to “swap” DIR and DEL commands.

Trusted Binaries Some of your standard tools will run on a variety of OSs For example, FTK Imager Lite runs on most “live” Windows versions. Many OS component tools (i.e. netstat, nbtstat, ipconfig, etc.) are OS version dependant and you must have trusted versions of any such tools for all the OS versions you will encounter.

Trusted Binaries

Disk Imaging

Archiving, Backup, Logical Copying

Volatile Data Collection RAM, Process and system info collection

RAM, Process & system info Automated tool kits Windows Forensics Toolchest (WFT) Incident Response Collection Report (IRCR) First Responders Evidence Disk (FRED) Computer Online Forensic Evidence Extractor (COFEE) Sysinternals Suite http://technet.microsoft.com/en-us/sysinternals/default.aspx Many Sysinternals tools are used in the above “automated” tool kits. Standard OS commands (your own binaries) X-Ways Capture RAM capture: WinEn, dd, Nigilant32, FTK Imager, WinHex/XWF, and many more…

Network Data Collection

Network Data Collection Pre-installed or ability to “push” remote agent to subject machine with Admin permissions. Most remote agents can be installed/pushed in normal or stealth modes to avoid detection. Tools: OnlineDFS EnCase Enterprise (or FIM) AccessData Enterprise ProDiscover-IR F-Response Several others…

NetCat

Network Scans Results without Admin credentials Results with Admin credentials

Network Scans Results affected by Firewall or other IDS/IPS protection. Results affected by user credentials utilized to perform scan. Only scans and reports on the items you specify in your scanning tool’s profile. Exhaustive scanning profiles can take significant time.

For those really adventurous and not afraid of electricity…

Wiebetech Hot Plug Physical seizure without shutdown??? Take it back to your office to work on it. http://www.wiebetech.com/prod ucts/HotPlug.php Keep system console from locking or hibernating with “Mouse Jiggler” http://www.youtube.com/watch?v=erq 4TO_a3z8 http://www.youtube.com/watch?v=- G8sEYCOv-o&feature=related

Questions??? Use the discussion board, as usual…

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.