>> We have covered the general forensic process and the technologies used

in Linux UNIX forensics in previous units.

Now we will focus on the forensic technologies used in investigating Windows
systems.
Recall that the first step of the general forensic procedure is acquiring evidence.
Before 2008, the law enforcement officers and the incident responders typically
followed
the process of yanking the plug to preserve nonvolatile digital evidence on
a suspect computer and mainly focused on acquiring a disk image.
With advanced encryption and malware, volatile data presented only
in physical memory becomes crucial for recovering encryption keys
and detecting malware for investigation.
So, since 2008, there have been a shift from dead forensics to live forensic
investigations.
Now let's move on to first study technologies for Windows volatile data
acquisition.
If a suspect machine is up and connected at a crime scene,
volatile evidence such as running processes, physical memory, network connections,
logged on users, et cetera are available to be collected from the suspect machine.
Since we're collecting volatile evidence directly from a suspect machine,
we should use small footprint tools to ensure minimal disturbance to the state
of the live system.
Earlier, we learned a set of Linux UNIX commands used
to collect important volatile data and system information.
Incident responders and the forensic investigators use a parallel set
of Windows tools to gather volatile data from live Windows systems for forensic
investigation.
I listed certain built-in Windows commands and the free utilities here
for you to try and practice by yourself.
Some instructions are included in this unit's resources.
Make sure to redirect result outside of the suspect machine
by using greater than or Windows Netcat.
So, to display system date and time.
So, to display system date and time, we use Windows built-in tool date and time
and to display when was the system rebooted, we use a free utility called Uptime.
We also use PS tools-- PS info to display system information.
And we use a built-in IP config to check whether the network interface is running
in promisc mode.
Look for unusual processes, we use task list or PS services.
To list currently loaded DLLs, we use list the DLLs.
To view open files, we use PS file or open files.
Show network connections, we can use F port or net stat.
And to show logged in users, we use PS logged on or log on sessions.
To view clipped content, we use P clipped.
And to view logs, we use Windows event viewer.
Next, I want to introduce a powerful forensic toolkit called Helix3 from E-FENSE.
This tool has a collection of forensics tools for data acquisition, preservation,
and analysis.
While Helix3 Pro is a commercial tool, they also have a free version, Helix 2009R1.
Helix3 operates in two different modes.
One is in Windows live mode and another is in a bootable environment.
Instructions for downloading the Helix3 ISO version 2009R1
and creating the CD are given in the course resources.
When using the Helix3 CD on a Windows suspect machine, it is a perfect example
of a trusted forensics tool set that includes many forensics tools to collect both
volatile
and nonvolatile data from a suspect machine without relying
on potentially compromised internal tools and programs.
When using the CD as a bootable CD, it runs entirely off the CD
and only mounts the hard drives in read-only mode.
In this mode, Helix3 is used for in-depth analysis of the targeted powered-off
systems.
In the next video, I will demonstrate the use of Helix3 in a live Windows
environment
to collect volatile information from a Windows system.

In this video, I will introduce you a great forensic tool called Helix3 from e-
fense.
Helix3 is a collection of forensic tools for data acquisition, preservation, and
analysis.
Besides offering a commercial Helix3, they also,
the company also give us a Helix free version 2009R1,
and this is the version I'm using here, that's the free version.
As we know, Helix3 operates in two different modes, and one is running Helix
in Windows live mode and another one is live bootable CD in a boot system to open
to.
In this demo, I will show you the live version that run in this, in a Windows
environment.
The Windows I'm using here is a Windows 7 virtual machine.
It's on the background. When I open this software and that first thing
you see is a warning, so we are running in a live Windows environment,
which typically happen during instant response time.
And you need to make sure you make a minimal change, but, certainly,
you absolutely know a way to protect information to changing, right.
So this is the warning about and we accept that.
Now, as I said, it's a collection of tools on the, if you move from the left side
and you know each one, what is that? Each icon mean, it's a collection of tools.
Each icon may have one or more tools collected inside.
So this one is a preview system information. It's a live view of a system
information,
Windows system information. And then this one is acquisition, and this
is incident response tools for Windows. So let's look at a couple of that.
So let's first one look into preview system information.
If I click on that, it tells you what is my operating system, and this is basically
looking
to my current Windows 7 virtual machine. And who is the owner, and organization,
and
all those information, okay? And then how many, what are the drives and
the file system? And now, we talk about that in the Linux case,
and I showed you many of tools, many of Linux UNIX tools to be able to collectively
to get those type of information. But in this case, it's all that information
be collected together, just was the screen-based tool.
So it's very simple to use. And in this week's class, and I also give
you some of free Windows tools to be able to get system information, but then,
certainly,
you said this is very convenient for me to use this Helix3 to get that information.
Now, you see there's a arrow here. This arrow means there's more pages.
So we're on page one and it can go to page two.
So in this page two, it shows you running processes.
Currently, what are the processes it runs here?
Now, this is similar to a p, ps in Linux UNIX case.
If you have RootKits try to hide certain process, this hidden process will not show
here.
And that, this result is also same as the Windows Task Manager.
So this is page two show you all the running process.
Now, we're on page two. Certainly, you can go back to page one.
This is the system information. If we move to the next one -- again, this
arrow tells you you're here right now, and if we take to the next one -- on show.
Line attempt to -- okay. So this is acquisition page.
So this acquisition page, it allowed you to do acquisition.
In this case, it's a live acquisition using, I think it's using dd because it says
image
is dd. So if you provide a source -- this is running
Windows dd, similar to Linux dd acquisition --
so if you provide source, what source do you want to do a dd's acquisition?
Now, it says you could acquire for image, but, by the way, most cases,
if you do this physical memory use dd, some of the restricted memory area you're
not able to collect. So it's not as effective as other Windows
memory tool I discussed. So I usually do not use this method, but you
can also use dd to acquire non volatile evidence as well.
So this is talk about the source, which one you want to acquire,
and then, do you want to use NetCat? Now, this is all connected into one tool.
Or do you want to just use attached? And where do you want to put the image file,
destination? And then image name.
So this tells us this is dd, even though it doesn't know, it's not necessary you
have
to extension that dd, but to give us a hint, this is a form of dd.
And you can provide dd's options. So Windows dd is, use a very similar way to
design, to match for Linux UNIX dd. And even the options, we have to talk about
dd in details, so then acquire. Certainly, we're not doing acquisition here
now. Let's look at what are the next page do.
So next page is FTK Imager. If you click on the FTK Imager, definitely,
you will see FTK Imager's allowed you to memory dump and, also, to other
acquisition.
During the previous weeks, we did one demo. We did a exercise and a demo in Imager.
So this is just collecting FTK Imager into this tool, okay.
And then if you click further, the third page is a live RAM acquisition use Winen,
and I also mentioned about this in the class. Winen is free as well, even though
most of
Guidance Software is not free. But acquisition is free.
So this is Winen from Guidance Software for live memory acquisition.
And there's another one called MemDD [phonetic]. This is also free for MemDD memory
acquisition.
So I would never use the first page dd to acquire memory, but I would use either
Winen,
or FTK Imager, or Memory DD to acquire Windows live image.
All right, so those are the three pages for acquisition acquired
for memory and/or acquired for, use dd acquired for other information.
Now, let's move on to the next one. So this one is incident response.
So it collects various tools for incident response.
Let's look at Agile Risk Management's Nigilant32. This one is a interesting tool as
well.
So this one, it says if you want to preview a disk, okay, you click on Preview a
Disk.
Now, by the way, be very careful since we are doing live,
we are doing a live investigation here. Commonly, I would say if you want to
preview
a disk, you should have a right block [phonetic],
to use a right block. So if we look at, if I click that there's
a tool petitions, I click the first petition, and then for those of you, if you're
familiar
with Windows, actually, we will cover this information in the next
week's lecture. This is Windows NTFS file system, and then
you'll see those dollar sign. Those dollar sign files are the system files,
and we won't look into dollar sign MFT. Now, I just want to give you one example is
if you click on this and then on the left page is a content.
It's a content for this chosen file. This is dollar sign MFT, and here they showed
you some text view, and then it's some, so this is the content inside of dollar
sign
MFT mirror. And then you can look at the other information.
You can extract and all that. This is preview.
Just we haven't acquired doing acquisition yet, but we want to look around to find
out which information I want to acquire. So this tool has a lot of features you can
play around. And certainly, you can start NetCat to dump
all the results to a network-connected machine, forensics
machine. Since there's an arrow, then we click, and
it will see what's in the next page. So that's a page two.
Page two, it, you can do preservation. So you can browse to a file, then it can
generate
a hash. So that's on a top one.
The, for the other ones, there's a, you can, they can provide you Command Shell,
and the RootKit Revealer, that's the one can run
through this current Windows system to identify RootKits, okay.
So whether this is very effective on that, this one is only can recover RootKits
from
User Mode. It's not very effective, but it can collect
some if you have a root, User Mode RootKits there.
And then certainly, PuTTY SSH provides you SSH.
Now, if I want to see File Recover -- this is more relate to us -- so here choose
English.
Yes. All right, so now, it says, do you want to recover deleted file?
Select Logical Drive or select Pick Your Choice, what kind of file you want to
recover.
So this information wants you recover the file.
It's listed, and then you can choose to export them out.
So the File Recovery tool, that's also useful. And now, looks like they have more
pages,
so going to the next page. The next page, they're for other informations.
Each one is a unique tool. Those are all tools, and they, Helix3 collect
them, and put under one umbrella, and put into one
interface. So for example, IE Cookie Viewer -- it will
look at the Internet Explorer's cookie. And then IE History Viewer -- that one will
look at internet connections. For example, if you use Internet Explorer
to connect to certain websites, it can list all the websites you list, you
visited. Password Viewer -- that, if you use IE and
then you, for certain website, you provide a password, then it try to recover
password, okay. Some other things.
Registry Viewer. Registry Viewer is allowed you to view registry
information. There are a bunch of interesting, Mail Password
Viewer. So lots of, bunch of, bunch of this interesting
tools, they're actually listed here, we can use.
Some of the tools we might or come back to revisit when we talk about Windows
analysis.
We will come to visit this page again. So again, those are the three pages on the
incident response. Very rich resources here.
Move on to the next one. This is a browser, browser content.
Just be very careful when you're browsing it.
It possibly modify information, so I would say if you have a lecture to do
that later, you will do that later. If you have already confirmed it as incident,
don't try to do much at this stage because in the court, people will challenge
you saying you are modify evidence. So be very careful to use this tool.
Just remember, on the first page, we already agreed that those are all possibly
changed,
but we still want to do it right. So try to be very careful, okay.
In this case, if we'll look at the C, under C drive.
Now, $Recycle Bin, again, we will discuss that later in the Windows analysis.
This is one of the Windows artifacts. Interestingly, if you click on that, if
there's
a plus, certainly, you can expand that. So this, if you have one user, then this
user,
this is corresponding to one user's Recycle Bin.
And then here are the files -- $I file. It's all listed in that.
We will cover this later, okay. There's Document, Settings.
So this is a math for Windows, basically, and if you look at Users, we logged in,
I,
for this virtual machine, I logged in as a student.
So for this student, I certainly have lots of information.
So this is Windows, in Windows tree view. Once again, that allowed you to browsing
it,
to preview it, to identify important information to export.
But don't do too much because, currently, do not have a right block to use, yeah.
Move on to the next one. It is the Scan For Pictures.
So given a folder, you can load a folder, and then it will scan all the pictures --
JPEG or graphics things -- under this given folder.
It will show it in this pane. So it will collect all the pictures and show
you at one time, at one screen, and then you can right-click and export.
Again, it is for during incident response time or preview time you want
to pick up some pictures or something. And you can even make notes.
So this tool is fascinating because it collects all sorts of tools for acquisition,
for preservation, and for analysis. You can spend hours and hours to play around
with these tools. Hopefully, you will try that later and then
have fun with it.

Start of transcript. Skip to the end.

>> As we discussed in previous units, forensic investigators exam physical memory
content
to detect malicious processes, threats, and memory resident malware
to recover passwords and encryption keys.
In some cases, forensic examiners will not be able to start a forensic
investigation
without having the physical memory content.
To start memory acquisition, let's learn some well-known Windows memory acquisition
tools.
The open source MoonSols Windows memory toolkit is a host-based Windows memory
acquisition toolkit.
It is very easy to use.
When you run DumpIt, a tool from this toolkit, from a USB,
the raw memory dump will be generated and then written
to the same directory you are running DumpIt from.
The other host-based Window's memory acquisition tools I recommend include
winen.exe
from Guidance Software, MemoryDD from ManTech, FTK Imager from Access Data, and
Belkasoft
Live RAM Capturer.
The commercial tools such as F-Response and the forensic toolkit allow examiners
to conduct forensic acquisition remotely by running an agent on a suspect machine.
Once we have a physical memory image dumped, how do we extract information
such as running processes, registry data, event logs, network traffic and web
history,
et cetera from the memory image for forensic analysis?
We use a command called streams to extract printable streams from Linux memory
dumps,
but streams does not give us all of the variable information we need.
Let's study some memory analysis tools that are capable of extracting processes,
network registry information, even password from a memory dump.
Some of these tools also work for Linux UNIX memory contents.
WindowsSCOPE is a commercial tool for Windows memory acquisition and analysis.
You can get one month's full featured trial to try out this tool.
One of its strengths is the detection and the reverse engineering of root kits and
malware.
Redline Memoryze from FireEye is a free tool for Windows memory acquisition and
analysis.
The open source Python-based toolkit called Volatility Framework is able
to extract information from both Windows and Linux UNIX memory images.
Let's closely look at Volatility framework to understand how memory analysis tools
extract
processes and other information.
Volatility framework requires acquired memory image as an input.
To start a memory analysis using Volatility, you should run the Volatility plug-in
image
info first to identify the operating system's service
pack hardware architecture and the address of kernel debug structure from the given
memory.
So, here the given memory is called mem file.
The image in for output tells you the suggested profile of the image.
For example, WinXPSP386.
You will pass on this parameter when you run other plug-ins.
Knowing this profile information, Volatility will use the kernel debug structure to
point
to kernel objects and structures which contains processes and network information.
For example, a Windows kernel uses EPROCESS data structure
to store information for each running process.
All active EPROCESS are double-linked together.
This linked list of EPROCESS structure is pointed by PS active process head.
Volatility uses kernel debug structure to find the PS active process head and then
to list all current running processes by traversing through the EPROCESS linked
list.
Volatility framework supports a variety of plug-ins, including PS list, PS scan,
DLL
lists, modules, conn scan, hive list, et cetera to
allow us to extract processes, threats, registry, network connections, and many
crucial
information.
PS list plug-in instructs Volatility to use PS active process head to list all
running processes.
To run Volatility framework with plug-ins, we will provide the profile we learned
from the plug-in image info.
So, here is one example using a plug-in, PS list.
However, to hide processes, rootkits simply unlink these processes from the
EPROCESS list.
Once unlinked, although these processes continue to run normally, they will be
hidden
from most standard process enumeration tools such as Windows Task Manager and
Sysinternals
utilities.
The Volatility plug-in PS scan does not use the linked list of EPROCESS.
It scans memory looking for EPROCESS structure that represent process
and then returns the physical address spaces for all EPROCESS objects.
Therefore, PS scan will list all processes, even the process are hidden by rootkits
and are not shown by PS list plug-in.
Any discrepancy between outputs shown by PS list and PS scan may indicate
that rootkits is likely installed on the suspect machine.
Similarly, the plug-in conn scan can extract hidden network connections while the
plug-in
connections cannot survive from the malicious attack.
The plug-in CryptoScan attempts to recover encryption passphrase from a memory
image.
Here is an example of using CryptoScan.
For Windows memory images, Volatility framework uses plug-ins hive list and hive
scan to dump
out the registry hives such as SAM, security, software, NT user dot at,
user class dot at found in memory.
Google's open source Rekall Memory Forensics framework, in terms of functionality,
is very similar to Volatility framework.
In addition, Rekall is able to acquire Windows, Linux, and Mac memory images.
Volatility framework does not have the acquisition function.
In the demo, I will show you how to use Volatility framework to analyze a memory
dump.

>> We learned earlier that FTK Imager from AccessData can dump
out physical memory from a live system.
If you are running a virtual machine, the virtual machine's page file, .vmem,
contains a copy of the guest's main memory.
The open-source toolkit Volatility Framework is one of the best memory forensic
analysis
tools to extract valuable information from a memory
dump or a .vmem file.
In this video, I will show you some basic Volatility plugins to analyze a memory
file,
and we will use a Zeus memory dump as a example.
Now, the Zeus memory dump is provided by Malware Analyst's Cookbook DVD,
and you can also find detailed Zeus memory analysis using Volatility
from various source online.
I will provide to this websites in this week's activities,
for those of you who would like to try by yourself.
And here, I'm still using the SANS Investigative Forensic Toolkits virtual machine,
because this virtual machine has Volatility installed.
Now, if you look at, here, I said which vol.py, Python, and then this,
we try to find out whether this Volatility is installed.
So, this is the path for Python, for Volatility, and to start, we can use the main
page,
and then also, we can use a help page.
For example, for Volatility Framework, they have a very nice help page, if I
provide dash
H, dash H, and you will see the information about
the plugins, various plugins, configuration.
There's a long, yeah, this is a long help, help page.
So, there's a plugins, how do you run that, and then supported plugins,
I'll talk about a few of them in the class, and here is a complete list.
So, for example, connect scan, that one will scan for connections, and many ones,
we'll also talk about the PS scan, and that means the process scan, and a hive scan
for,
hive scan, hive list for registry, hive dump.
So, many of that, and you probably should spend some time,
if you're interested in, to look through that.
Alright.
So, at first, we need to find out to, for the given image,
what is the type of the operating system, as well as the date and time
that this memory image was taken.
So, that one is called I image info, so I would run Volatility Framework, and
certainly,
you have to give the memory dump, because Volatility cannot acquire memory.
It can only work on dumped-out memory.
So, this is the Zeus .vmem, and I copied, I took it from the Malware Analyst's
Cookbook
DVD, so this is a former virtual machine's page
file, that .vmem.
So, I just move over to here, so this is the image file now we have.
And now, we run one of the plugin called I image info.
So, this usually is the first plugin you will use to find out the operating system,
and then later, you can provide that information into the profile information.
So now, analyze this image, and in the lecture, I also told you,
how does Volatility analyze this image?
It finds out, it's suggested, it says it's a WinXP 286, so this is suggested
profile.
Now, by default, Volatility Framework treats image as a WinXP SP 286, so if that's
the
case, and we needn't provide the image profile,
if other ones, sometimes when you run Volatility from other plugins, it will
complaints that
I do not know what is the profile.
Then, you have to provide a profile.
In this case, since this is the default one and we are fine,
we are safe without providing the later plugin's commands.
Now, in here, it also tell you when this image, the image date and the time,
when this image dump was created, because every memory image is just a snapshot,
it's of one time.
Memory is changing all the time, so this is the image time.
Now, we know that, and we can move on to run other Volatility plugins.
For example, we are going to watch what processes are running on the computer
when this memory dump was taken, was recorded.
So, we do, just change the plugin, and then we use Volatility Framework, and again,
it's this image, and run against pslist.
Now, in the lectures, I also discussed, I said pslist will list all the processes,
which is very similar to the result as Windows task manager.
If you have some processes hidden by rootkit, pslist will not be able to find it,
because some rootkits will work on the double link of the process,
try to hide specifically for a particular process.
So, commonly we also use this one to run psscan, because psscan, it use different
approach.
It will detect some of the hidden process, if hidden by rootkit.
Cannot guarantee all right, but it can sometimes can identify some.
So, the common process is, common practice is run this again, and now you will
save.
I did not save, by the way, this time.
You will save both files into file, then you compare, alright?
If you compare that both list, if you can find any discrepancy, that's possibly it
is
a hint, say, something is going on, and then some
process is hidden.
So, after we done this psscan and pslist, we compare the process list.
Now, to read that is also quite simple, and it tells you which word is the process,
SV host, those are the services.
Sometimes rootkits hide within SV hosts.
They call it SV hosts.
And then, the PID, process ID, and parent process ID, and timestamp, as those
information.
So, for this example, if you compare pslist and psscan, they remain same,
so did not give you much of the information.
So, the next one, we want to look at the connections, internet connections.
By the way, like I said, someone has already did a very detailed analysis for Zeus,
so I'm just kind of showing a few of the plugins, here,
to help you to understand, that's all.
But, if a detailed report, you can find from online, okay?
So, connect scan, this will try to find the connection,
the network connection this machine made during the dump time,
during when we collect this image.
So, here we see, we find, there's two connections.
The machine, this machine has connections with 193.104.41.45, and a connect to port
80.
The PID is 856, or 856.
Now, because it's, we understand, if it's connected to that machine's port 80,
then this PID, this process should be a internet browser, right?
It's because connect to the, connect to port 80, so then we look at this PID,
this process with PID equal to 856, to find out whether this is a internet browser
or
not.
>> So now, if we're going back, it's 856, let's look at, see if it's still there,
856.
>> Okay, so this is the one.
If you look at this one, 856 supposed to be a internet browser to connect
to remote machine's port 80, but this one actually, it is svchost.exe, svchost.exe.
Now, svchost.exe, you know, innocent way in that this is a system file, Windows
system
file, but many rootkits actually hide that rootkit
under svchosts.
In Windows, you can actually use task manager to, with the option of slash svc.
It will even tell you whether those svchost a real command, it can spell out,
then you can find out what is the real command hiding under svchost.
But, in here, at least we know this is suspicious, because why the process PID 856
is not a internet
browser, and it is a Windows service.
Now, this is the first thing, suspicious things we find out,
and then commonly what forensic analysis or malware analysis investigators will do
is,
if you find this IP address, and this is information you can check,
so you can keyword search, and also you can put this IP addresses through some
online
tools to find out if this IP address is blacklisted
or not.
So, various tools you can do that, and you can do IPVoid, I-P-V-O-I-D online tool,
or you might try VirusTotal, or Shodan, S-H-O-D-A-N, to find out whether this IP
address is malicious
or not.
But again, run it against those public variable tools, it's rely on the signature.
If this, if, let's say, this machine's IP, no one has report it
in the blacklist, then you still cannot find.
So, in this case, if you do put this IP address into IPVoid, I-P-V-O-I-D,
and you will find this IP address actually is already listed as a blacklist.
That means someone already reported, and once again,
those tools cannot guarantee you'll find blacklist, because someone has
to create the signature already, and then you will be able to find this is
blacklist.
Now, couple of other things you may, you can also try is, for example, a print key,
alright?
So, the print key one is, if you know certain registry key information,
this process might change, might change a certain registry key.
For example, in this case, it is common that children at registry key
to make sure it will be running every time when the computer is restarted,
and this is a win logon registry key, because they want to make sure this tool,
every time when people restart the machine, and then this process start to run.
Now, that is under the Windows, Windows win logon.
If you modify that key value, and then to insert this process into it, to be able
to
other one.
So now here, in this case, we will run, again, so this is, we tried to change the
plugins.
It's called printkey.
If you use .edge, you will find out, if you use Python, sorry, volatility.edge,
you will find that this print key is there, and it provide by the key,
which key you want to look, Microsoft Windows.
This is the registry key, Windows NT, and current version.
Now, we have already discuss, in next class, we will talk about the Windows
registry key
registry, so you will know more information from there,
so this is the key.
If you want to add something autostart, then this value will change, alright?
So, if I spell it right, then it should work.
If you look at here, this is what's changed, based on the memory, right?
The registry key changed, so here.
So, you see, this is the process.
Now, this name, and again, if you are the investigator,
you will be very happy to see that .exe.
That one, those are all in the value, which means will be autostarted when the
Windows,
when Windows boot, and this one is a not common one, definitely.
The rootkit actually add itself, adds itself into this registry value.
Okay.
So, at this point, actually, the investigator already know quite a lot
of information, and I will stop here, but the complete, if you look at the complete
report, there are other things in this memory.
For example, you can use a plugin called malfind.
That one Volatility's plugin that will dump out malware, that will help
investigator
to find any hidden or injected DLL in user mode memory, in user mode memory.
So, and for that sense, it will dump out the memory, and then you try to search
through
it to find the piece which is belong to this
Zeus, .vmem.
And, there are other interesting things.
So, as long as you know those plugins, and then to understand, too,
what are each plugins tool function, you can play around with the memories.
And, you can dump out memory by yourself, and at least, you can look around to see
what
kind of process is running, and even though it's
not malicious memory dump, then you can have fun
to see much more information, because at the beginning, we only use strings,
Linux strings to dump out ASCII printable strings, but with Volatility Framework,
certainly, you can play more intelligently.
Now, there's another one, another tool I talked about in class is
from Google called Recall [assumed spelling], and you can play around with that, as
well.
Okay, so that, I will stop here.
Hopefully, you will enjoy that, and play by yourself.

In the previous lecture, we introduced several memory acquisition and analysis

tools.
In this video, I want to show you one interesting
and unconventional memory dump approach called boot attack.
In the scenario of a live suspect machine with a full disk encryption,
if you do not have the passphrase to log into the system,
there's no way to start an investigation.
Since the system is still on, can we dump out it's memory without logging into the
system,
then possibly extract the encryption keys from the memory?
To do that, we try to cold boot the running computer and possibly reboot the
machine
from a USB to dump out memories to USB.
Cold booting refers to turning the computer power off and then on again quickly,
without letting the operating system shut down cleanly.
Will that work?
Researchers from Princeton university found
that RAM isn't completely erased when it no longer has power.
If you use compressed air cans to cool memory modules,
some memory contents remained readable for several minutes or even up to a couple
of hours after power has been removed.
These researchers also developed a toolkit to dump out the memory and extract
encryption keys.
A bootable image called a scraper dot bin is used to dump computer memory to a USB.
Then a utility called USB Dump will dump the RAM from the USB to your forensics
system.
They developed AES key finder and RSA key finder to search for keys from memory.
Here is the USB-based cold boot attack process.
First, copy the scraper dot bin boot image to your USB.
Use DD command.
Then set the suspect machine's BIOS to give a USB boot sequence priority over the
hard drive.
Connect your USB drive to the suspect machine you would like to perform a cold
boot,
then pull and then quickly restore the power.
Once you boot from the USB key, scraper dot bin will start dumping the contents
of RAM to your USB disk.
Once it has completed, you can unplug the USB drive
and plug the USB to your forensics machine.
Then run the utility USB Dump from your forensic machine to dump the RAM from the
USB disk
to your local drive on the forensic machine.
The following command will assume the USB is mounted on slash dev slash SDB
and then we call the memory image as mem dump dot image.
When we have the memory dump, we can use Volatility or AES key finder or RSA key
finder
to extract encryption key from mem dump dot image.
After recovering the key, you can log into the system and decrypt the encrypted
hard drives.
Please be aware that if cold boot fails, you will not get any useful memory dump.
In addition, you will lose all volatile memory information due to the reboot.
So, you will only use the cold boot approach if you do not have other viable
solutions.
Remember, you have to document all the actions you take with a forensic machine.
There are also some memory anti-forensics tools, such as Dementia and Attention
Deficit Disorder.
These tools attempt to taint memory image
to either defeat memory acquisition process or defeat memory analysis.

>> After acquiring the volatile data we move on to acquire non-volatile data.
Although it is possible to acquire drives from live system,
the most efficient disk imaging approach is using high speed forensic imagers.
At this point, Logicube's Forensic Falcon achieves 30 gigabytes per minute imaging
speed,
while Mediaclone's Superimager reached 29 to 31 gigabytes per minute.
The prices of these imagers range from hundreds to thousands of dollars.
The imaging process is easy.
You simply connect your source drive to forensic imagers to start the imaging.
The duplicated image in the format of your choice will be stored on a target drive.
Some target drives or destination drives are sealed within the imager unit.
For example, FDAS by Cyanline.
Some forensic imagers, for example Falcon, can simultaneously image multiple source
drives
to multiple destination drives, creating multiplications in different formats.
These imagers will have built-in write blocker functionality to ensure
that the original drive data will not be modified.
Commonly the left side of the imager connects write blocker source drives
and the right side connects destination drives, if the destination drives are not
sealed within
the image unit.
This imager will also generate in a verified hash values automatically after the
imaging.
If you do not have a forensic imager, using the combination of software-based
imaging
tool with a write blocker is common to create a
bitstream copy of drives.
We saw both DD and FTK imagers in previous units.
Besides these two, Encase forensic imager and Encase forensic from guidance
software,
and forensic toolkit from excess data, are among the leading products in drive
image
acquisition.
Encase forensic imager is a free acquisition tool that also provides the
functionality
of viewing and browsing potential evidence files.
However, you will need a write blocker to separate the original drives
from the imaging software, to prevent software from modifying data in original
drives.
Encase forensic guidance software was the first sophisticated forensic imaging
and analysis tool on the market in 1998.
When using Encase to acquire an image, it creates encase evidence file.
This evidence file includes headers, content of the original drive or media,
and MD5 and SHA1 hash values.
Besides hash values, encase evidence format also adds arrow detection
by storing the CRC checksum for every 64 sectors of data.
If hashes do not match, CRCs will help find where the change is at the sector
level.
All the versions of encase image use .01 extension.
This extension is recognized as encase image file format,
also known as expert witness format, short for EWF.
Since in case version 7 the extension becomes .EX01, known as EWF version 2.
Encase can also create images for files and directories,
without including slack and deleted data.
This type of image is called a logical evidence file format, with extension of
LX01.
But both EX01 and LX01 format supports for compression and encryption of the data.
Although there are other disk image formats, both raw DD image
and encase image are among the most common disk image formats used in forensic
imaging.
FTK imager can convert one type of image to another type of image format.
Encase's other great feature is that is has its own built-in software write
blocker,
to provide a forensically sound write blocking software solution for all connected
disks.
Hardware Write Blockers use a hardware device that physically separates your
evidence disk
from your forensic work station.
What is a software-based write blocker?
A software Write Blocking uses software application stored on your forensic work
station
to prevent the work station from writing to attached disks.
For example, Safebloc Win8, from forensic soft ink is a standalone software writing
block that can be stored and used with other forensic
acquisition tools.
Encase has its own software write block called Fastbloc SE
that is built into the Encase software.
Here are the steps of using Encase's built-in Fastbloc SE write blocker
to acquire a subject device.
First, make sure that the subject device is not connected before we turn
on the write block option.
Launch Encase Forensic, and create a new case.
And then select tools, Fastbloc SE, select the plug and play tab with write blocked
option.
Insert a USB or other devices for imaging.
Click close.
With Fastbloc SE turned on, you will have no risk
of modifying the source evidence when you acquire a device image.
So far we have assumed that forensic examiners always know which drives
or partitions they should acquire.
However, since acquisition is a long, time-consuming process,
examiners would like to go through multiple drives to decide
which one is most likely to contain critical evidence.
This is called previewing the evidence.
Encase and FTK imager lets you preview drives before acquiring them.
This means you only read data, but do not own the data.
Preview allows examiners to quickly determine whether relevant evidence exists
on a computer before going through a long acquisition process.
Remember, you have to use the write blocker for imaging as well
to ensure you do not change a single bit on the drive when viewing the files.
Finally, we will discuss remote life forensics with the capability of acquiring
memory
and drive data from a remote machine in a forensic, sound manner.
Several commercial solutions, like Encase Enterprise, Mandiant MIR,
and F-Response are able to gather live information from a remote machine
through agent preinstalled on the remote systems.
Google Rapid Response, GRR, is a powerful open source incident response framework
focusing
on remote live forensic acquisition and analysis.
GRR uses a client server architecture.
Agents are installed on all the clients that frequently communicate with the server
to receive tasks and send task results to the server.
The servers are responsible for sending requests to the clients,
and collecting information from the clients.
GRR includes both Sleuthkit and Rekall.
Its memory acquisition and analysis functions are provided by Rekall and then its
disk
in a file system analysis functions are supported by Sleuthkit.
Although using GRR for remote forensic acquisition and analysis is not required
to pass this course, it is a very powerful tool for forensic investigators.
In this unit, we covered Windows volatile and non-volatile data acquisition process
and technologies.
In the next unit, we will look at Windows File System and Registry.