Hi everyone. In a forensics book I am reading, it lightly touches on EnCase EE/FIM which has the capability of performing some live forensics features.
Evidently, if one can "infect" the suspect computer with the servlet, then the examiner has access to the entire system and would be able to perform a memory dump and thus extract any encrypted volume keys that were residing in memory.
However, I am unclear on how you would accomplish this. Let's say the suspect PC was running Windows XP with one user. The volume is encrypted but currently running (unencrypted with keys in memory), and the screen is locked. How are you going to get the servlet on the system to perform a memory dump? Also, won't a tiny program like a servlet sound off all sorts of alarms on just about any system running anti-virus software? We're talking about software that has complete access to everything on the computer and can funnel data about everything right over the Internet.
Correct me if I am wrong, but it seems that the only way to try and get anything off that kind of system would be to perform a cold boot attack. Unless there's something I am missing here.
Why do you want to know?
Are you a good guy or a bad guy?
If you are a good guy (which I assume you are), why would I post anything about this for all the bad guys to see?
If you want to ask question about EE/FIM like this, then go on the course and ask away to your hearts content.
Sorry to be so unhelpful… (
Paul
Hello.
- I want to know because I am curious.
- I am a good guy.
- It hadn't occurred to me that this was top secret knowledge to keep away from bad guys, as, a bad guy could just as easily learn what I can learn.
- Go on what course?
If you're feeling helpful and do know the answers to my questions, please PM me as to keep it from public view. )
-Samuel
You need to separate how the servlet accesses data from how you get the servlet installed.
The servlet exposes both physical devices and logical volumes. Volume encryption products tie into the kernel as filter drivers, providing sector-based decryption. EnCase makes its requests to volumes through these drivers, so the sectors are decrypted automatically. Hence, volume encryption is typically a non-issue. Looking at the physical device when encryption is in play will get you the raw encrypted sectors (and the partition table and whatnot).
Memory access depends on the servlet being installed correctly and with the proper permissions, and support for the host OS. I'm not sure exactly how the servlet grabs RAM (I'm not much of a low-level Windows guy), but I wouldn't be surprised if it's enabled, in part, by a custom driver.
You can install the servlet the same you'd install any other software on your enterprise network.
Jon
Thanks for the info, Jon.
I forgot that it would be a simple matter of circumventing the encryption if you could get access to the logical "drive."
Given that, then, my question is – how would you get the servlet installed? What if it's not on an "enterprise network" but just a regular network? How do you install software to a remote machine on an enterprise network, anyway??
Not sure what you mean by "regular" network. Installation varies depending on the operating systems, authentication systems, and deployment software in play.
Most intranets will be running Windows and use Active Directory. The Administrator account therefore has rights to run anything on any computer. The installer runs from the command-line, so there are lots of ways for a Windows admin to make this happen on any given target system. psexec works as well as anything.
There was also an EnScript that can push Windows servlets via WMI (not sure what it's current status is). This, too, requires admin credentials.
On Unix, I've found centralized authentication to be somewhat less common, but I've always found that Unix sysadmins will have a way.
Other than the WMI EnScript, EnCase Enterprise doesn't have any sort of remote installation software. It's up to you to authenticate to the system in question and run the servlet installer on it.
Jon
Jon,
A "regular" network to me would be a simple chain of computers with Class C IP addresses connected to the Internet via a router-firewall, like Linksys, D-Link or the like. Wouldn't you agree?
Why would "most" Windows systems be using Active Directoy? At my office we're using XP and 7 and a couple of Vista stations. I'm the admin, and I've never used MS' Active Directory. I assume it isn't enabled by default…
psexec seems like the thing you'd wanna use, but like you said, all that stuff requires administrative credentials.
I'm wondering, what happens if you come across a Windows (XP/Vista/7) system that is connected to the Internet, but is locked off and NOBODY (including the admin!) has the credentials. How are you gonna get the servlet on that machine? How are you gonna get the encryption keys? How are you going to get *anything* off that machine before powering it down?
Sounds like you'd be pretty S.O.L. if I'm not mistaken.
A "regular" network to me would be a simple chain of computers with Class C IP addresses connected to the Internet via a router-firewall, like Linksys, D-Link or the like. Wouldn't you agree?
No, not in the context of enterprise forensics software. In that context, I tend to think that "network" => WAN/LAN. What you seem to mean is "The Internet".
Why would "most" Windows systems be using Active Directoy? At my office we're using XP and 7 and a couple of Vista stations. I'm the admin, and I've never used MS' Active Directory. I assume it isn't enabled by default…
Most networks I've dealt with involving EnCase Enterprise (quite a few, and certainly forming a representative sample) use Active Directory.
psexec seems like the thing you'd wanna use, but like you said, all that stuff requires administrative credentials.
I'm wondering, what happens if you come across a Windows (XP/Vista/7) system that is connected to the Internet, but is locked off and NOBODY (including the admin!) has the credentials. How are you gonna get the servlet on that machine? How are you gonna get the encryption keys? How are you going to get *anything* off that machine before powering it down?
Sounds like you'd be pretty S.O.L. if I'm not mistaken.
Yep. Installation of an executable without proper authentication tends to be considered illegal (also, rude), so there's nothing in EnCase Enterprise to facilitate that. Centralized authentication, a la Active Directory or some other mechanism, makes this kind of thing a lot easier.
Jon
This becomes quite tricky when monitoring tech savvy staff.
Most techies, specially those who have more expertise besides GUI driven applications, recognize and balk at something sneaked in.
That said, I have found that most larger corporations have tools already deployed that to monitor activities, in various ways.
Sometimes it is Symantec Desktop Enterprise, Systems Management Server, BigFix, Microsoft Configuration Manager, or other similar applications that can provide ample information either to monitor or to inject a monitoring tool without any alarms raised.
Thanks for the insight, guys.
I'm talking about a house or a small business, here. Not a big corporation. I have no experience with large businesses, but it would seem pretty obvious that a large business would be monitoring (or capable of monitoring) your activities. I can't help but wonder why anyone would do anything illegal via their corporate computer?
In any event, assuming you come across a home computer, running Windows XP with a locked screen yet w/ mounted encrypted volumes, how are you gonna get anything off that system without resorting to something like a
Is it possible to, say, plug in a crossover network cable into the LAN card of that system & capture any outgoing data attempts? Or to even *send* data to the system via the LAN? Or possibly install a servlet-type executable via auto-executing USB device? Would something like that even run with the screen locked?