Chapter 8: Live System Analysis
| | ||
| | ||
| | ||
Overview
For several reasons, computer investigators analyze live Windows systems before powering them down. There are two mechanisms for performing live systems analysis: covert monitoring and overt acquisition.
Covert analysis attempts to examine or monitor the activities of users or programs. Analysis reviews existing information. Monitoring can take place at a computer or network level and can encompass current and future actions. The major covert analysis activities are:
-
Performing remote acquisition. Remote acquisition or drive previewing using EnCase Enterprise enables an investigator to sneak a peek into a computer's file system or perform a full, remote drive image.
-
Determining system information using Windows Administrative tools. Using common Administration tools such as the Computer Management console enables an examiner on a corporate network to review systems to which she has administrative rights.
-
Monitoring current keyboard/mouse activity. Performing keystroke monitoring and other live system monitoring can provide play-by-play view into user actions currently taking place.
-
Monitoring current network activity. Network-based monitoring provides a safe way to collect evidence of network-based activity prior to acquiring equipment. User or program activity can be monitored .
| Warning | Although remote analysis can be performed in a covert fashion, unless a product like EnCase Enterprise is used there is a reasonable risk of detection. |
Overt live system analysis is performed on the system itself through either a local or a remote connection. The analysis is done after the system has been secured and can be performed through the Windows GUI, the command line, or a remote command line. Overt analysis tasks include:
-
Proving system state at time of acquisition. It may be necessary to show multiple pieces of information on the system state at the time of acquisition, including currently logged-on users (network and local), clipboard information (stored in memory), or current network connections (file share, FTP, HTTP, and others).
-
Obtaining information on currently running programs. When the computer is powered down, the list of programs and their contents that were running at the time will be lost.
-
Finding information resident in main memory. If information is expected to be present in RAM, that information needs to be collected before powering down the system and losing its contents.
-
Acquiring data from a production system. Not all systems can be shut down for off-site acquisition or need to be imaged from a disk perspective locally. If there are simple tasks that need to be performed on a live system (for example, copying log files and seeing event information), these may be done in real time.
When a live system analysis is performed, there is almost always some system alteration, with the exception of network monitoring. Running any process will at a minimum alter the CPU registers in addition to some memory and possible disk space as well. The key to a successful live analysis from an investigative perspective is fourfold:
-
Understand and document why a live analysis is being performed. When you are making the decision to perform a live system analysis, one of the scenarios noted above should be relevant. Ideally, standard operating procedures are developed by your organization beforehand. These procedures detail when a live system analysis is warranted, who approves the analysis, and how it occurs. Any deviation from these procedures must be documented as part of the case file.
-
Minimize the amount of alteration. Some alteration is unavoidable in a live system analysis. When deciding on an approach to analyzing a live system, consideration must be given to the least disruptive way of accomplishing this. If the investigator wants to know what ports are accessible from a given IP address, an external port scan may be the least intrusive . If there is a further question on what applications those ports are associated with, a small footprint program such as Foundstone FPort may be the most appropriate.
-
Understand the alteration. Understanding the impact caused by the programs you will be running is essential to a court presentation of actions. It is understood that all programs run on a given machine will alter memory in some fashion, but specific to the analyst's forensic suite, he will want to know, at a minimum, answers to the following: Does it write to the disk? Does it start any services? Will it alter file timestamps? Does it open network connections?
-
Do not trust tools on the system. Where possible, use tools that you provide to perform a live system analysis. If a system compromise is suspected, built-in tools may be altered to provide false data or hide specific system activities. Although this is more common on compromised Unix systems, the best practice is relevant for Windows as well.
A live system analysis is one of the most powerful tools in the forensic arsenal of a computer investigator. Using it appropriately can yield results unattainable through other means.
| |
All data on a computer system is volatile to some degree. At the high end of volatility, network transmissions and information moving across the system bus can be considered extremely volatile. The information may exist and be able to be captured for a matter of milliseconds or even nanoseconds. At the lower end of volatility are permanent files stored to magnetic or optical media. This information may be present in an unaltered form for anywhere from several seconds to several decades (and potentially longer for archival quality optical media).
The difficulty in capturing data increases as the volatility of the data increases . CPU registers are difficult to read without altering their data what instructions can one run from within the operating system that will not replace the registers by running them? Bus lines and custom chips may require specialized equipment (for example, an oscilloscope and logic probe) and internal chip caches may be internally managed and inaccessible externally. The greater difficulty comes from the very short duration of this information. Because of the timeframes, a priori knowledge of an incident is required. Specifically, monitoring has to be actively set up and occurring before an incident happens, making the most volatile contents of a system unavailable in response situations.
As anyone who has ever managed a large tape backup library can attest, even permanent storage is volatile in nature. Both magnetic media and optical media have life spans due to wear, environmental factors, and material limitations. Prior to the physical media wearing out, the logical contents can be erased as well. Files can be deleted and wiped, unused sectors overwritten, and temporary files cleaned by the operating system. Because of this, a rapid response capability is essential to any incident response program. Likewise, examiners should acquire the most volatile information they believe will be useful first, before moving to the next most volatile piece of information. The following table lists the volatility of various computer components useful in a forensic analysis.
| LOCATION | PRIMARY ANALYSIS METHOD | LIFE OF DATA | USEFULNESS |
|---|---|---|---|
| CPU registers | Live | Milliseconds | Registers generally contain very small amounts of information, much of which is not broadly useful to investigations (for example, array offsets and intermediate calculation values). |
| CPU cache (on and off-chip) | Live | Seconds | The CPU cache(s) contain instructions and data, and as they become larger they contain more information. Because much of the cache information will also be stored in less-transient RAM, the effort to read the cache usually outweighs any benefits. |
| RAM | Live | Minutes | The computer's main memory stores information from current and previously running programs, including pieces of data that may be unavailable elsewhere. The data is not well structured to analysis, but can be searched for key words and phrases effectively. Investigations where a machine is still running after a user has purportedly performed recent actions of interest may yield information not stored in a more permanent fashion. |
| Disk cache | Live/offline | Hours | With larger amounts of RAM present in computers, the Disk Cache changes less rapidly but is still used. Even after a system is turned off, the cache file can be searched for strings of data to prove or disprove an allegation. The disk cache is one of the most common locations to find information that a user thinks she never saved to disk. |
| Temporary files | Live/offline | Hours | Many applications in addition to Windows itself create temporary files without the user's knowledge. Because these files frequently contain structured data in a complete fashion, they are of great value in an investigation. Temporary files can be cleaned by individual applications when a document is closed, or may reside in a temporary directory until system reboot or beyond. |
| Unallocated space | Offline | Days | Unallocated disk space is any location that does not currently have an addressable file. Fragments and even full files that were deleted can be present for years , depending on disk usage. Searching unallocated disk space (both file and RAM slack ) is done on almost all disk-based forensic analyses. |
| Permanent files | Offline | Years | Permanent files exist until they are deleted or the media is no longer viable . The best form of evidence when available, permanent files are data that has been saved to media that retains information even after losing power. Permanent files are generally stable enough for offline analysis. |
| |
| | ||
| | ||
| | ||
EAN: 2147483647
Pages: 71