Log File Duplication

Previous page
Table of content
Next page

Log file duplication is difficult for many reasons. First, the log files are frequently on a machine not directly involved in an investigation (for example, a DHCP server the suspect obtain and IP address from). Secondly, the log files may reside on a business-critical, shared platform that cannot be taken down (for example, a domain controller). Finally, log files are open and active when in use. Simple copying can lead to errors or corruption of the file contents.

Because duplication of the entire drive is often not feasible or warranted, copying of individual log files may be done. The same applies to other shared storage duplication as well. A 2MB home directory belonging to the suspect on a 100TB Netapps device does not justify imaging the entire drive array, nor does copying all of the drives on an Exchange server to retrieve a single suspect's mailbox file.

Note 

If a suspect had no direct access to the server the logs were stored on, there is little reason to suspect tampering or deletion.

To perform duplication of a single log file or other active file, the following are the steps that should occur:

  1. Shut down any services or applications using the active file. This can include disconnecting sessions, temporarily disabling mailboxes, and changing share (but not file) permissions.

  2. Connect a forensically wiped, portable DVD-R or hard disk to the server containing the log files.

    Warning 

    For hard disks, always format the disk as NTFS after wiping to enable the preservation of file attributes.

    1. If the server is in a remote location, connect the media that will contain the duplicated image to an analysis machine and allow it to be mapped with a drive letter.

    2. Establish a secure session to the server (Remote Desktop Connection provides this capability on Windows).

    Note 

    Ensure that Disk Drives is checked under the Local Resources tab within the Remote Desktop Connection options to map the drive.

  3. Use xcopy to duplicate the file or files to the destination media. For example, to fully duplicate the directory c:\userdata\asmith to g:\evidence use the following command line: 

     xcopy /E /H /C /K /X c:\userdata\asmith g:\evidence

    The command line options provide the following:

    • /E Copy all directories and subdirectories including empty ones.

    • /H Include hidden and system files when copying.

    • /C Copy even after errors occur (frequent when open files are present).

    • /K Copy file attributes.

    • /X Copy all file audit settings (and ACL/ownership information).

  4. Run an md5sum on each of the files copied and record the results.

  5. Restart any services and applications turned off in Step 1.

Tip 

Xcopy offers several options not available with the standard Windows copy command that support forensically sound acquisition. The ability to copy all files recursively saves time, and the restart ability is useful for poor connections.

When the log files are duplicated, working copies can be made for detailed analysis in the forensic lab.


Previous page
Table of content
Next page
Windows Forensics. The Field Guide for Corporate Computer Investigations
Windows Forensics: The Field Guide for Corporate Computer Investigations
ISBN: 0470038624
EAN: 2147483647
Year: 2006
Pages: 71
Authors: Chad Steel
BUY ON AMAZON
Systematic Software Testing (Artech House Computer Library)
Visual C# 2005 How to Program (2nd Edition)
Postfix: The Definitive Guide
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
Competency-Based Human Resource Management
AutoCAD 2005 and AutoCAD LT 2005. No Experience Required
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy