• Collecting results locally means storage media will be connected to the subject system and the results will be saved onto the connected media.

• Remote collection means establishing a network connection from the subject system, typically with a netcat or cryptcat listener, and transferring the acquired system data over the network to a collection server. This method reduces system interaction, but relies on the ability to traverse the subject network through ports established by the netcat listener.

• Because each version of the Windows operating system has different ways of structuring data in memory, existing tools for examining full memory captures may not be able to interpret memory structures properly in every case.

• Therefore, after capturing the full contents of memory, use an Incident Response suite to preserve information from the live system, such as lists of running processes, open files, and network connections, among other volatile data. A number of commonly used Incident Response tool suites are discussed in the Tool Box section at the end of this chapter.

• Some information in memory can be displayed by using Command-line Interface (CLI) utilities on the system under examination. This same information may not be readily accessible or easily displayed from the memory dump after it is loaded onto a forensic workstation for examination.

• Running incident response tools on the subject system will alter the contents of memory.

• To get the most digital evidence out of physical memory, perform a full memory capture prior to running any other incident response processes.

• There are a myriad of tools that can be used to acquire physical memory, and many have similar functionality. Often, choosing a tool comes down to familiarity and preference. Given that every malware incident is unique, the right tool for the job may be driven not just by the incident type but by the victim system typology.

• Nigilant32 provides an intuitive interface and simplistic means of imaging a subject system’s physical memory using a drop-down menu in the tool’s user console.

• To image memory from Nigilant32, select the “Image Physical Memory” option from the “Tools” menu, as shown in Figure 1.4.

Figure 1.4 Imaging physical memory with Nigilant32

• At the prompt, select the location where the memory dump file will be saved; memory imaging will start thereafter.

• There are four versions of F-Response (Field Kit, Consultant, Enterprise, and TACTICAL) that vary in deployment method, but all provide access to a remote subject system drive as a local mounted drive.

• F-Response is flexible and “vendor agnostic,” meaning that any tool can be used to acquire an image of the subject system’s hard drive and physical memory once connected to it.

• F-Response Field Kit and TACTICAL are typically used in the context of live response, particularly in scenarios where the subject systems are at a third-party location and F-Response Consultant Edition or Enterprise Edition have not been deployed prior to the incident.

• F-Response Field Kit requires a single USB key FOB dongle and the Field Kit executable (f-response-fk.exe), both of which are initiated on subject system. Conversely, the examiner system, which enables the digital investigator to leverage the results of F-Response, simply requires the installation and invocation of the Microsoft iSCSI initiator service. F-Response TACTICAL, which uses a distinguishable paired key FOB deployment, is discussed in the Tool Box section at the end of this chapter.

• To access the physical memory of the remote subject system with an F-Response Field Kit, connect the USB key FOB dongle to the subject system and execute F-Response. Enter the proper subject system identifiers, and enable “Physical Memory,” using the radio button, as shown in Figure 1.5.

Figure 1.5 Using F-Response to connect to a subject system

• On your local examiner system, invoke the iSCSI initiator service, select the “Discovery” tab, and add the subject system as a target, as shown Figure 1.6.

Figure 1.6 Adding the subject system as a target through the iSCSI initiator service

• Choose the “Advanced” option and provide the same username and password credentials used in the F-Response Remote Configuration (Figure 1.7).

Figure 1.7 Authenticating through the iSCSI initiator to acquire the target system

• After authenticating, the subject system will appear as a target. Select the subject system hard drive and physical memory from the target list (requiring re-authentication) and connect to the subject system; the connection status will be displayed in the target list (Figure 1.8).

Figure 1.8 Connecting to the subject system

• Once connected to the subject system through F-Response, the subject system’s hard drive can be accessed locally on your examiner system, as shown in Figure 1.9.

Figure 1.9 Viewing the remote subject system hard drive through F-Response

• On your local examiner system, use the Disk Management snap-in to verify that the physical memory is also “mounted.”

• As physical memory does not have a file system or partition table, the physical memory will not be recognized as a drive, but rather as an unknown disk, as shown in Figure 1.10.

Figure 1.10 Identifying physical memory from a remote subject system

• In Figure 1.11, Helix3 Pro⁷ was used to acquire the memory image from the remote subject system. The Helix3 Pro Live CD was initiated on the examiner system and identified the subject system’s physical memory as a local drive (PhysicalDrive2); acquisition was conducted by selecting PhysicalDrive2 as the item to image.

Figure 1.11 Acquiring physical memory from a remote subject system

• System date and time

• System identifiers

• Network configuration

• Enabled protocols

• System uptime

• System environment

• Help discover any potential intruders logged into the compromised system.

• Identify additional compromised systems that report to the subject system as a result of the malicious code incident.

• Provide insight into a malicious insider malware incident.

• Provide additional investigative context by being correlated with other artifacts discovered.

• Obtain the following information about identified users logged onto the subject system:

• To collect a simple list of running processes and assigned PIDs from our subject system, use tlist,²⁴ a multifunctional process viewer utility for Windows distributed with Debugging Tools for Windows.

• To get an overview of the running processes and associated location of executable program locations, use PRCView (pv.exe)²⁶ with the -e switch, as shown in Figure 1.15.

Figure 1.15 Using PRCView to reveal the location of executables associated with running processes

• Using tasklist with the –V switch, identify the program name, PID, memory usage, program status, and associated username.

• Query the subject system with any of the following commands to obtain a structured and hierarchical “tree” view of processes.

• Many malicious code specimens, particularly rootkits, use a technique called “DLL injection,” wherein malware “injects” code into the address space of a running process by forcing it to load a dynamic link library.²⁸

• A great utility for viewing the DLLs loaded by a running process is listdlls,²⁹ which identifies the modules invoked by a process and reveals the full path to the respective modules. Other utilities to consider for this task include Procinterrogate,³⁰ PRCView,³¹ and ListModules.³²

• As with the examination of running processes and ports, explore running services by first gaining an overview and then applying tools to extract information about the services with more particularity.

• While investigating running services, gather the following information:

• Gain a good overview of the running services on a subject system by using a trusted version of tasklist with the /svc switch, which displays services in each process.

• The output from this command provides a concise listing of the executable program name, PID, and description of the service, if applicable.

• To gather greater detail about running services, refer to the Tool Box section at the end of this chapter and on the companion Web site, http://www.malwarefieldguide.com/Chapter1.html.

• To explore installed system drivers, query the subject system with a trusted version of List Loaded Driver (drivers.exe)³⁶ and DriverView.³⁷

• The output provided by List Loaded Drivers (drivers.exe) is verbose and granular. Compare a thorough examination of any suspicious files acquired from the subject system against the collected data to identify artifacts of value.

• Open files may reveal other correlating or identifying information about suspicious processes identified during the course of live response.

• If malware has given the attacker access into the compromised system, the attacker, during the course of intrusion, may have opened certain files.

• Identifying open files may explain the purpose of the attack, whether probing financial databases, sensitive corporate information, or other unique resources on the system.

• Examine files opened locally and remotely.

• To examine files opened locally, query the subject system with OpenFilesView.³⁸

• OpenedFilesView displays a list of all opened files on a subject system and additional information about the accessed files, such as:

• A remote connection from an anomalous system or share accessing files on the subject system are potentially indicia of compromise, so endeavor to identify files that are accessed remotely.

• Query the subject system with a trusted version of the native net file command or the psfile utility.³⁹

• Display all of the commands that are stored in memory by issuing the doskey/history⁴⁰ command from the toolkit’s trusted command prompt.

• The doskey/history command can be configured to hold a maximum of approximately 61,900 bytes of data.

• Command prompt history can provide valuable contextual evidentiary information, such as:

• To query a subject system to identify available shares, use a trusted version of the native Windows utility, net, as seen in Figure 1.17.

Figure 1.17 Identifying shares on a subject system

• Reveal discovered scheduled tasks on a subject machine using a trusted version of the native Windows utility at.⁴⁴

• Confirm your findings by querying with schtasks,⁴⁵ which is also native to Windows XP and subsequent versions.

• The clipboard contents may contain:

• Examine the contents of a subject system’s clipboard with pclip,⁴⁶ which collects and displays the contents of the clipboard, seen here in Figure 1.18.

Figure 1.18 Exploring the clipboard contents with pclip.exe

• The following command takes the contents of an internal hard drive and saves it to a file on removable media along with the MD5 hash (for integrity/validation purposes) and an audit log that documents the collection process (Figure 1.19).

Figure 1.19 Forensic duplication of a hard drive using dd

• When more extensive forensic analysis is required, such as hash analysis and keyword searching, work should be performed on a forensic image, as discussed in Chapter 3. Although the tools covered in this section are designed to run on live Windows systems, some also are useful in post-mortem analysis.

• The following non-volatile data analysis can aid in understanding the malware:

• Collect patch level and version information for a Windows system using the WinUpdatesList utility.⁴⁷

• Logging level and access control lists can be extracted using auditpol⁴⁸ and dumpsec.⁴⁹

• If security logging is not enabled, there will most likely be no log entries in the Security Event Log.

• When a system is configured to record security events but the Security Event Log is empty, ascertain whether the logs are stored elsewhere or were intentionally cleared.

• The “hosts” file contains associations between IP addresses and hostnames.

• The “networks” file contains associations between ranges of IP addresses and network names, which are generally assigned by network administrators.

• The “lmhosts” file contains associations between the IP address and NetBIOS names.

• Prefetch files are located in “%systemroot%Prefetch” and, among other information, contain the name of the program when it was executed.

• The creation date of a particular prefetch file generally shows when the associated program was first executed on the system, and the last modified date indicates when it was most recently executed.

• To document the creation and last modified dates of files in the prefetch directory, use a trusted command shell (cmd.exe) to invoke the following commands (see Figure 1.21):

Figure 1.21 Listing prefetch files from a trusted command shell

• References to malware embed in these auto-starting locations to increase the malware’s longevity on a computer.

• One of the most effective tools for viewing auto-start locations is AutoRuns,⁵⁰ which has both GUI and command-line versions (autorunsc).

• Query a subject system for all auto-starting entries using the autorunsc –a command.

• AutoRuns has a feature to ignore legitimate, signed Microsoft items, reducing the volume of output.

• These logs are stored in a proprietary Microsoft format; extract them in American Standard Code for Information Interchange (ASCII) text form for examination using log analysis tools that do not support the native Event Log format.

• Collecting these logs from the live system will extract the native message strings from that system.

• These logs can be collected using eldump, a utility specifically designed to process Event Logs from Windows systems. The same utility also can be used to read saved Event Log files.⁵¹

• As shown in Figure 1.23, to collect specific event logs from a subject system with eldump use the –l switch and the name of the log (security, system, or application).

Figure 1.23 Collecting Event View Logs with eldump.exe

• This information may be particularly pertinent when a malicious insider is the suspected wrongdoer, as opposed to an “outside” attacker.

• Check for user accounts that are not supposed to be in local or domain level administrator groups.

• The net user command can be used to list all accounts on the local system.

• The HFind and SFind⁵³ utilities in the Forensic Toolkit from Foundstone can be used to locate alternate data streams and files that are hidden from the general user by the operating system and can be listed using HFind.

• A list of files that have been placed in the Recycle Bin can be obtained by reading the INFO file using a tool like Foundstone’s rifiuti.⁵⁴

• In addition to dumping the entire Registry contents to a text file, particular areas of interest can be processed individually.

• Details about the Universal Serial Bus (USB) devices that have been plugged into the system can be extracted from the Registry with USBView.⁵⁸ This information may be particularly valuable in the instance of a malicious insider, wherein the infection vector was from a physical access to a system, such as a USB device. Alternately, a user may have inadvertently used a USB device infected with malware that exploits Windows autorun functionality.⁵⁹

• Examination of the Registry is covered in more depth in Chapter 3 in the context of a full post-mortem forensic examination of a compromised system.

• To access the Registry of a remote subject system with an F-Response Field Kit, initiate F-Response on the system, as shown in Figure 1.25.

Figure 1.25 Using F-Response to connect to a subject system

• On your examiner system, invoke the iSCSI initiator service and select the “Discovery” tab to add the subject system as a target, as shown Figure 1.26.

Figure 1.26 Adding the subject system as a target through the iSCSI initiator service

• Choose the “Advanced” option and provide the same username and password credentials used in the F-Response Remote Configuration (Figure 1.27).

Figure 1.27 Authenticating through the iSCSI initiator to acquire the target system

• After authenticating, the subject system will appear as a target. Select the subject system from the target list (requiring re-authentication) and connect to the subject system; the connection status will be displayed in the target list (Figure 1.28).

Figure 1.28 Connecting to the subject system

• Once connected to the subject system F-Response, the subject system’s hard drive can be accessed locally on your examiner system, as shown in Figure 1.29.

Figure 1.29 Remote subject system hard drive through F-Response

• On your local analysis system, invoke RegRipper,⁶⁰ a Windows Registry data extraction and correlation tool created and maintained by Harlan Carvey. As F-Response has made the subject system drive accessible locally, RegRipper can be pointed at the target NTUSER.dat file of the subject system for data extraction (Figure 1.30).

Figure 1.30 Selecting the target NTUSER.dat from the subject system using RegRipper

• RegRipper is a Windows Registry data extraction and correlation tool written in Perl. Unlike other Registry analysis tools, RegRipper is modular and uses plug-ins to access specific Registry hive files, and in turn, to access and extract specific keys, values, and data. RegRipper accomplishes this through bypassing the Win32API.

• RegRipper’s plug-in-based architecture allows users to develop custom plug-ins, many of which are shared with the digital forensic community on the RegRipper Web site.⁶¹

• Examination of the Registry is covered in more depth in Chapter 3, in the context of a full post-mortem forensic examination of a compromised system.

• Drive-by-downloads often occur when a user with an insecure or improperly configured Web browser navigates to a compromised (or nefarious) Web site that is surreptitiously hosting malware, allowing the malware to silently be downloaded onto the victim system.

• As a result, it is always advisable to examine the subject system Web history to gain insight into whether a Web-based vector of attack caused the malicious code incident.

• Internet Explorer history files (index.dat) can be parsed with Pasco, a free multiplatform command-line utility offered by Foundstone. The results processed by Pasco are output into a field delimited text file, enabling the digital investigator to import into as spreadsheet to further analyze these data.

• In addition to Pasco, there are numerous utilities available to parse Web history artifacts associated with specific Web browsers, as described in detail in the Tool Box section of this chapter.

• Information from cookie files can be acquired using Galleta⁶² for Internet Explorer and MozillaCookiesView⁶³ for Firefox.

• Protected storage may contain passwords stored by Internet Explorer and other programs, providing the attacker with stored user credentials on the system.

• This information can be gathered with NirSoft’s GUI and CLI utility Protected Storage PassView (pspv.exe).⁶⁴

• Contents of the Firefox AutoComplete and Protected Storage areas can be extracted using the DumpAutocomplete⁶⁵ utility.

• To use this function, select the “Preview Disk” function within Nigilant32, accessible from the user console.

• After selecting this option, select the partition of the subject hard drive to explore, as displayed in Figure 1.31.

Figure 1.31 Previewing the hard drive of the subject system with Nigilant32

• The Preview Disk function uses code⁶⁸ from Brian Carrier’s forensic analysis framework, the Sleuth Kit,⁶⁹ to examine the active file system and minimize any potential modifications caused by the native Windows API.

• Use this feature on a subject computer to explore its file system, locate hidden files or folders or recently deleted content, or extract files for additional analysis.

• Double click on a folder of interest, double click on a file of interest, and review the populated file contents display panels located below the main display pane, as seen in Figure 1.32.

Figure 1.32 Examining file contents with Nigilant32

• Each display panel provides different information pertaining to the selected file.

• After discovering files of interest, you can extract the files to an external source, such as a USB ThumbDrive or external hard drive, using the Nigitlant32 “Extract File” function shown in Figure 1.33. Using this function, you can select the location and name of the suspect file you want to extract, and in turn, the location where you want to save the extracted file specimen.

Figure 1.33 Extracting our suspect file using the Nigilant32 Extract File feature

• Leveraging this functionality, you can locate and extract suspicious files and associated artifacts from a suspect system drive that is mounted locally with F-Response.

• After initiating F-Response, the subject system drive can be “seen” locally on your examination system, as shown in Figure 1.34.

Figure 1.34 Extracting suspect files using F-Response

• You can navigate the suspect drive locally to locate and extract files of interest, just as you would your local hard drive.

Practice live response techniques by using your tools in a test environment to become and remain proficient.

Attend relevant training when possible. Budget constraints, time constraints, and other factors often make it difficult to attend formal training. If you cannot attend, improvise. Attend free webinars; watch Web-based tutorials; self-study texts, whitepapers, and blogs; and attend local information security group meetings.

Stay current with tools and techniques. Live response is a burgeoning area of digital forensics; almost daily there are new tools or tool updates released, new research, and techniques discussed. Keeping tabs on what is current will likely enhance the scope of your live response knowledge base and skills.

Stay abreast of new threats. Similar to staying current with tools and techniques, the converse is just as important—staying current on malicious code trends, vulnerabilities, and vectors of attack.

Utilize online resources such as social networks and listservs. It is often difficult to find time to attend training, read a book, or attend a local information security group meeting. A great resource to stay abreast of live response tools and techniques is with social network media such as Twitter and Facebook. Joining specific lists or groups on these media can provide real-time updates on topics of interest.

Research tools that you intend to incorporate into your live response toolkit. Are they generally accepted by the forensic community? Are there known “bugs” or limitations to be aware of? Have you read all documentation for the tools?

Deploy the tools in a test environment to verify functionality and gain a clear understanding of how each tool works and how it impacts the target system it is deployed on.

Document your findings—notes regarding your tools are not only a valuable reference, but can come in handy for report writing.

Remember that your investigation may end up in a legal proceeding, whether criminal, civil, or administrative. Having to explain that you used tools during the course of your investigation that were illegally or unethically obtained can damage your credibility—and potentially your investigation—despite how accurate and thorough your analysis and work product is.

Conducting interviews of relevant parties prior to conducting live response provides you with information about the subject system, including the circumstances surrounding the incident, the context of the subject system, and intricacies about the system or network that are salient to your investigation.

The subject system is an unknown and untrustworthy environment in which the collection of volatile data can be tainted as a result of the infected system. Running tools directly from a subject system relies on the system’s operating system, which may be compromised by malware, making the acquired data unreliable.

Make sure to use a run trusted command shell/tools from an Incident Response toolkit.

Always ensure that the media you are using to acquire live response data are pristine and do not contain unrelated case data, malicious code specimens, and other artifacts from previous investigations.

Always inspect your toolkit and acquisition media prior to deployment.

Be cognizant that USB devices are common malicious code vectors—the malware you are investigating can propagate and infect your live response media by virtue of connecting to the system.

As discussed in the introduction to this book and Chapter 1, while powered on, a subject system contains critical ephemeral information that reveals the state of the system.

The purpose of live response is to gather this volatile information in a forensically sound manner so that it is not lost. Failing to follow the Order of Volatility and gathering less volatile information impacts the state of volatile data on the system (e.g., memory contents) and increases the risk of losing the data altogether. Network connections, process states, and data caches can quickly change if not acquired in timely manner.

The system date and time are essential details about the suspect system that will serve as the baseline for temporal context in your investigation.

Make sure to document the system date and time in your investigative notes in addition to acquiring the date and time through your live response toolkit.

As demonstrated in this chapter, the contents of physical memory are impacted by running live response tools on a subject system.

Acquire physical memory before conducting other live response processes in an effort to keep the memory contents as pristine as possible when acquired.

Make sure to gather as many details about the subject system as possible, giving you deep context about and surrounding the system. For instance, vital details such as system date/time and system uptime are foundational in establishing a time line surrounding the malicious code incident.

Gathering the subject system’s hostname, IP address, and other network-based identifiers is critical in examining the relational context with other systems on the network.

Conducting live response while an attacker is on the subject system will most likely alert the attacker to your investigation.

Alerting the attacker can potentially have devastating consequences to your investigation and to the subject system (and other systems on the network), such as destruction of evidence, escalation of attacks, or additional compromises to maintain inconspicuous, undiscoverable, and continual access to the system.

Conducting a “flat” or incomplete investigation into a subject system will limit your understanding about the malicious code incident, the impact on the subject system, and the nature and purpose of the attack.

Conduct a complete and thorough investigation, gathering multiple perspectives on the data so that a complete analysis can be conducted. For example, in collecting information about running processes from a subject system, simply gathering a list of running processes without more provides the digital investigator with insufficient information about the processes and their relational context to other evidence.

As discussed in the introduction to this book, one of the keys to forensic soundness is documentation.

A solid case is built on supporting documentation that reports where the evidence originated and how it was handled.

From a forensic standpoint, the acquisition process should change the original evidence as little as possible, and any changes should be documented and assessed in the context of the final analytical results.