Live Forensics

Are you alive?Are you alive?

Gordon Mitchell

Future Focus, Inc

aka bug-killer, eSleuth, …

Shocking newsShocking news

Federal judges now briefed on need for live forensics

Defense may object to your leaving out 2GB of evidence (RAM)

It may never be possible to find the important issues without live forensics.

Ovie Carroll, DOJ at SANS SummitCurrent forensics does not scaleDefense may ask about RAMneed to collect even if it is not analyzedalways need to focus on user attributionuser attribution must be in search warrant

Don’t pull the plugDon’t pull the plug

Get status of networkCheck all running processesList the users, shares, …Grab RAM

My info sourcesMy info sourcesHarlan Carvey’s book – a great resourceSANS Summit – the future of forensicsSoftware vendors

– X-Ways Forensics (good forensics analysis)– F-Response (remote connection to HD & RAM)– Sysinternals (superb for Windows diagnostics)– Mandiant (PC profiling)– HBGary (impressive RAM parsing & analysis)

SysinternalsSysinternals

Prevent popup EULAPrevent popup EULA

Batch file of commandsBatch file of commands

fuzzy hashing– finds almost-same files, finds alterations, partial

files

ssdeep -r <files> (to generate)

Ssdeep -m file_of_hashes [options] (to compare)

active registry monitor arm_db.rgf $40 (only runs thru XP)– allows registry diff, run before and after

installation

InCtrl5 $7 (only runs thru W2K)– application installer analyzer– keeps track of what changes happen on install

mdd.exe, from ManTech (no good on Vista)volitality, voltage, etc from AAron Walters

See Windows Forensic Analysis by Harlan Carvey

di (physical disk info)ldi (logical disk info)sr (restore point settings from xp, no harm

in Vista)lsproc (gets processes from memory)lspd (file name and offset from lsproc file to

get process details)

Free tools from MandiantFree tools from Mandiant

Command line tools for minimal impact on target system

Grab important info on machine conditionCan collect for later comparisonConsole lets results from individual systems

be compared

MandiantMandiant

Collecting RAM Collecting RAM -- a demo in Vista!-- a demo in Vista!

Target machine– Start F-Response client

Analysis machine– Start X-Ways Forensics (recent version)– Set up iSCSI initiator – Add medium to case– Search or save

Tools from HBGaryTools from HBGary

Analyze RAM Suspect stuff is identified$3500 basic GUI version – It really works!

New news New news – it’s not all on the hard drive– it’s not all on the hard drive

Thanks for coming...Thanks for coming...(888) eSleuth www.eSleuth.com

002@invalid-address.com