±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 2
New Yesterday: 2
Overall: 27480
Visitors: 42

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Forensics on Live Servers

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Forensics on Live Servers

Post Posted: Mon Feb 11, 2013 12:01 am

Okay, So lets say you've been asked to apply forensics on a working server.

How do you take an image? (Software - Hardware)?
And how do you perform the analysis?
How do you extract logs?
Considering points?

Without manipulating the server's performance.  

CopyRight
Senior Member
 
 
  

Re: Forensics on Live Servers

Post Posted: Mon Feb 11, 2013 3:19 am

What type of server is it?

What platform? Single physical, virtual or part of a cluster?

Where is the target data? Locally stored, or via a network share?

What do you hope to gain from analysis (i.e. why are you looking at that server?) ?  

alastairfay
Member
 
 
  

Re: Forensics on Live Servers

Post Posted: Mon Feb 11, 2013 3:35 am

FTK Imager Lite is a great tool for imaging a physical server live. It runs on most, if not all, flavours of Windows.

I have had a couple of clients in the past that monitored the disk I/O, network traffic etc. on the physical server I was imaging and it did not adversely affect the performance (this was on an Exchange server). They were so paranoid that I almost had to have my finger on the "cancel" button for the whole duration of the copying!

It is also the most convenient way of imaging if the server is set-up with a RAID array.

If you only require the server logs, then you can also use FTK Imager Lite to conduct selective imaging for certain files and/or folders. I've used this in the past to only extract IIS logs, or Event Logs etc.

Points worth considering is, be very careful of everything you do. Take notes and photograph/screenshot everything you do.

...and if it is a virtual server. Well then just suspend/clone it and off you go!  

chrism
Senior Member
 
 
  

Re: Forensics on Live Servers

Post Posted: Mon Feb 11, 2013 10:22 am

F-Response.

I use the field kit edition, which is surprisingly cheap.

You run a little program on the server then connect to that computer using your own computer with the standard iSCSI Initiator. This gives you read-only low level access to any storage connected to that server.

I then use enCase to image the server--usually a logical image of a target folder, but a full physical image is possible.

How much this impacts the performance of the server is entirely dependent on what you try to pull down over the network. If you take a full physical image of a drive, expect that to degrade performance. If you take smaller pieces, then performance will be less affected.

It's impossbile to give the server additional work to do without affecting performance at all. The question really is how much spare capacity does the computer have and plan to not exceed that capacity with your work. You could even connect through a 100 Mbit switch instead of 1 Gbps. That would severely limit your impact on the server (and make your acquisition time much longer)

www.f-response.com/ind...&Itemid=83  

Bulldawg
Senior Member
 
 
  

Re: Forensics on Live Servers

Post Posted: Mon Feb 11, 2013 11:11 am

- CopyRight
Okay, So lets say you've been asked to apply forensics on a working server.

How do you take an image? (Software - Hardware)?


Depends on a lot of things.

First, I'll assume that by "working", you mean that it has to be imaged live; that is, without shutting it off and extracting the physical hard drives.

Given this, there are a lot of things to take into consideration:
- how old is the system?
- what OS and version is it running?
- what type of connections does it have?
- what type of access do you have to the system?

In most cases, when I was on the ISS ERS team, we would put FTK Imager Lite on a CD or on an ext HDD, and plug it into the system, *IF* it had at least USB 2.0 connections/drivers. If it only had USB 1.0, or it didn't have any USB connections at all, we'd look to the network. You can map a drive from a system on the same subnet that has the appropriate connection, or you can plug the ext HDD into the system, and map that volume. Depending upon the circumstances, you may need to (if you can) isolate the VLAN or something similar. For systems that have had to be disconnected from the network, you may consider plugging them into a small, 4-port hub, and doing something similar.

Of course, you need to document everything.

- CopyRight

And how do you perform the analysis?
How do you extract logs?


Once you have the image, the same way you would acquire anything else.

- CopyRight

Considering points?

Without manipulating the server's performance.


If you're trying to acquire an image from a system that is still running, there are no guarantees as to the impact on performance. You can try to minimize this, but that's about as far as you can go.  

keydet89
Senior Member
 
 
  

Re: Forensics on Live Servers

Post Posted: Mon Feb 11, 2013 11:39 pm

You're the best guys, the way you interact is awesome.

In this case, Its a Windows Server 2008 (Active Directory System) in a fairy medium size organization. They've been claims that the AD-server is replicated,spoofed or by other means hijacked by someone.

As an incident response action, am i suggested to take an entire image of the Active directory?
Certain Files? Certain Logs? What do you think that's most important in this case?

and normally whilst performing acquisition on servers what are the important reg's and log's that are mandatory to have a look at as a first glimpse.

Thanks!  

CopyRight
Senior Member
 
 
  

Re: Forensics on Live Servers

Post Posted: Tue Feb 12, 2013 2:56 am

By "Active Directory System" do you mean it's a Domain Controller, or Member Server?

If it's a DC, then it will have other DCs in sync with it - for failover.

More importantly, the entire AD tree will be replicated to other DCs in the same domain (and possibly Forest, depending on the topology). So any changes to the "target" servers AD configuration will have been replicated to the others.

We're a small organisation - 30 people - and I run 2 DC's (one physical - 'dc1', and one low-spec virtual - 'dc2') - in case anything happens to either server, the Windows network carries on working smoothly... just a bit slower.

Why do they think the server has been spoofed/replicated/hijacked?  

alastairfay
Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next