Help on Live acquis...
 
Notifications
Clear all

Help on Live acquisition

7 Posts
4 Users
0 Likes
522 Views
(@hnwala)
Posts: 6
Active Member
Topic starter
 

Please I need some help on how to carry on live system acquisition.
There are 2 systems and both are on. One is connected to the network and the second one is not but Im not sure if they are running any process.
I don't want to loose any evidence and so wish to collect the evidence from the live machines without contaminating or destroying the evidence.

How can I do these pls?

 
Posted : 27/12/2013 12:27 am
(@sgreene2991)
Posts: 77
Trusted Member
 

What tools are you using? AccessData FTK does a pretty good job of it.

 
Posted : 27/12/2013 12:45 am
(@bithead)
Posts: 1206
Noble Member
 

What OS are the targets running?
What OS is your exam machine running?
What tools do you have?
What access do you have to the live systems?
What are you trying to find on the live targets?
etc.
etc.
etc.

So many questions, so little information provided.

 
Posted : 27/12/2013 12:57 am
(@hnwala)
Posts: 6
Active Member
Topic starter
 

@Sgreen2991 thank you very much for your prompt response.
I want to use Helix and this is my first job on live acquisition
I am very familiar with FTK but not the live acquisition aspect.

 
Posted : 27/12/2013 12:59 am
(@hnwala)
Posts: 6
Active Member
Topic starter
 

@BitHead, thanks for the tip questions. Below are my answers for your questions
The system connected to the network is running Windows Vista
The standalone system is running Windows XP
The Exam system is running Windows Vista
The tools I have is Helix Live CD
I have access to the desktop of the Win XP system
But Win Vista system is passworded, no access to the desktop yet.
I want to capture ram data (volatile data) first
I have not done anything yet on both systems so that I dont destroy or contaminate the evidence
Im just waiting to see if I can get help on how to go about it first

Thank you

 
Posted : 27/12/2013 1:37 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Copy FTK Imager Lite (from the AccessData web site) to an external USB drive (get the wallet form factor so a separate power source isn't required) and use that to capture memory and perform a live acquisition.

 
Posted : 27/12/2013 6:40 pm
(@bithead)
Posts: 1206
Noble Member
 

The system connected to the network is running Windows Vista
The standalone system is running Windows XP
The Exam system is running Windows Vista
The tools I have is Helix Live CD
I have access to the desktop of the Win XP system
But Win Vista system is passworded, no access to the desktop yet.
I want to capture ram data (volatile data) first
I have not done anything yet on both systems so that I dont destroy or contaminate the evidence
Im just waiting to see if I can get help on how to go about it first

Thank you

Let's start with another couple of questions -
What do you hope to find in RAM that makes it important to capture?
Does allowing the systems to continue to run compromise more evidence than performing dead box forensics?

The Win XP box is fairly easy - if you have access to the computer and it is not connected to the network, just use any of the available tools and dump the memory to an external drive. (Some of these tools are listed on the Forensic Wiki).

The Vista box is more problematic. How do you plan to gain access? Do you have admin rights on the domain that you can gain access to run commands on the computer? Based on your answer I am going to say no. There is no magic way to image RAM without some access to the computer.

There is a saying in physics, for every action there is an equal an opposite reaction. What you have to remember in computer forensics is that inaction is also an action. What that means is that by not doing anything your evidence is changing every second. So keep that in mind while you try to figure out live capture. Is it worth waiting?

 
Posted : 27/12/2013 6:57 pm
Share: