live forensics
TRANSCRIPT
Are you alive?Are you alive?
Gordon Mitchell
Future Focus, Inc
aka bug-killer, eSleuth, …
Shocking newsShocking news
Federal judges now briefed on need for live forensics
Defense may object to your leaving out 2GB of evidence (RAM)
It may never be possible to find the important issues without live forensics.
Ovie Carroll, DOJ at SANS SummitCurrent forensics does not scaleDefense may ask about RAMneed to collect even if it is not analyzedalways need to focus on user attributionuser attribution must be in search warrant
Don’t pull the plugDon’t pull the plug
Get status of networkCheck all running processesList the users, shares, …Grab RAM
My info sourcesMy info sourcesHarlan Carvey’s book – a great resourceSANS Summit – the future of forensicsSoftware vendors
– X-Ways Forensics (good forensics analysis)– F-Response (remote connection to HD & RAM)– Sysinternals (superb for Windows diagnostics)– Mandiant (PC profiling)– HBGary (impressive RAM parsing & analysis)
SysinternalsSysinternals
Prevent popup EULAPrevent popup EULA
Batch file of commandsBatch file of commands
fuzzy hashing– finds almost-same files, finds alterations, partial
files
ssdeep -r <files> (to generate)
Ssdeep -m file_of_hashes [options] (to compare)
active registry monitor arm_db.rgf $40 (only runs thru XP)– allows registry diff, run before and after
installation
InCtrl5 $7 (only runs thru W2K)– application installer analyzer– keeps track of what changes happen on install
mdd.exe, from ManTech (no good on Vista)volitality, voltage, etc from AAron Walters
See Windows Forensic Analysis by Harlan Carvey
di (physical disk info)ldi (logical disk info)sr (restore point settings from xp, no harm
in Vista)lsproc (gets processes from memory)lspd (file name and offset from lsproc file to
get process details)
Free tools from MandiantFree tools from Mandiant
Command line tools for minimal impact on target system
Grab important info on machine conditionCan collect for later comparisonConsole lets results from individual systems
be compared
MandiantMandiant
Collecting RAM Collecting RAM -- a demo in Vista!-- a demo in Vista!
Target machine– Start F-Response client
Analysis machine– Start X-Ways Forensics (recent version)– Set up iSCSI initiator – Add medium to case– Search or save
Tools from HBGaryTools from HBGary
Analyze RAM Suspect stuff is identified$3500 basic GUI version – It really works!
New news New news – it’s not all on the hard drive– it’s not all on the hard drive
Thanks for coming...Thanks for coming...(888) eSleuth www.eSleuth.com