Best practice to take an Image of the machine??

If I have to take an image of such a machine (which is off the network now and the password cannot be shared), how do I do?? ?
Currently what I have done is asked the user to create a local user with password and asked the user to share the same.

"Best" is always predicated by your goals and requirements.

For forensic analysis purposes, its always best to remove the drive (if possible), hook it up to a write-blocker, and acquire an image that way. However, often due to business or operational needs, this is not always possible, and some other means needs to be employed. Often a live image can be acquired…as long as it's thoroughly documented, what's the issue?

I’m sure that this is not the best practice coz the virtual memory will be over written(its a guess)

Again, "best" is relative. If this is part of your procedure, so be it. Personally, I would not do this…creating an account modifies the contents of the SAM Registry hive, possibly over-writing pertinent information in hive file slack space. You then have to log out and log back in using that account, meaning that some running processes may be terminated. Then when you log back in, Windows (if that is the OS you're referring to here) creates a profile, as well as adds entries to the Software hive file.

However, if this is part of your documented process, then it's "best" until that process is changed.

If you can't remove the drive, as Harlan suggested, can you reboot the system or have it rebooted? If so, why not use something like Helix with a crossover cable?

If the incident hard disk is a normal desktop then we can plug out the hard disk and acquire an image. But if the incident machine is a laptop then its better to use Helix CD.

But for both the types of machine it requires a reboot… is there any method or setting which i might have to enable on incident machine which can save the data on Virtual memory??

If the incident hard disk is a normal desktop then we can plug out the hard disk and acquire an image. But if the incident machine is a laptop then its better to use Helix CD.

Whether laptop or desktop, I find that the fastest way to make an image is to remove the hard drive and aquire it. Servers that are using RAID are often best with Helix or another boot disk to only avoid the hassle of putting the RAID back together.

But for both the types of machine it requires a reboot… is there any method or setting which i might have to enable on incident machine which can save the data on Virtual memory??

You do not have to reboot the machine to image, just shut it down. Virtual memory is saved in the pagefile but that is constantly changing regardless of whether you shut it down or not. If you are interested in capturing that data before shutting down, a tool such as ProDiscover IR can perform that task.

If the incident hard disk is a normal desktop then we can plug out the hard disk and acquire an image. But if the incident machine is a laptop then its better to use Helix CD.

I agree w/ Greg…

You do not have to reboot the machine to image, just shut it down. Virtual memory is saved in the pagefile but that is constantly changing regardless of whether you shut it down or not. If you are interested in capturing that data before shutting down, a tool such as ProDiscover IR can perform that task.

Not all of the contents of RAM are written to the pagefile; you would need to use a tool such as MDD, winen, win32dd, or FastDump to acquire the contents of physical memory…if XP, you can use Nigilant32. Remotely, you can use ProDiscover or better yet, F-Response.

You do not have to reboot the machine to image, just shut it down. Virtual memory is saved in the pagefile but that is constantly changing regardless of whether you shut it down or not. If you are interested in capturing that data before shutting down, a tool such as ProDiscover IR can perform that task.

Not all of the contents of RAM are written to the pagefile; you would need to use a tool such as MDD, winen, win32dd, or FastDump to acquire the contents of physical memory…if XP, you can use Nigilant32. Remotely, you can use ProDiscover or better yet, F-Response.

Good point. Virtual memory is actually the conglomeration of the pagefile and physical memory as well as giving an application the impression that the memory is contiguous.

Right, but that virtual memory is specific to the application, and don't include the kernel objects that track things such as list of processes, ports, etc.

ok..
So depending on the sequence of the incident i will have to choose the appropriate tool take the backup of the physical or virtual memory.

Then shutdown the machine, unplug the hard disk and acquire the image of the the same.

It means that i will have to modify the standard procedure wink

Thanks a lot for the help )

sudha, it all depends on the investigation and what it pertains to, but if your going to get virtual memory etc, then use helix to do everything including the imaging, as you could write to a USB type hard drive, obviously this is not going to be as forensically rigid as it would have been if the drive had been removed.

whilst your doing the memory you could get things like the process list, the application list etc as others have mentioned.

I would take a look at the actual case and on its merits decide on what information is required, for example if the case is related to a compromise of the system then the more live data you can get the better, if its a case regarding emailing of images or misuse of internet then I would consider just imaging the hard drive (i'm not trying to teach you to suck eggs here) - just throwing a few ideas in the proverbial pot.