I understand you are considering a standalone machine (as opposed to an AD domain based machine)
is the local administrator account active (or any account in the local administrator group) and do you have the password?
…edit - I just re-read the thread and noted the comment that NOBODY has any administrative credentials.
That does leave me wondering how one would find themselves with the mandate to access the machine if they don't have any administrative control over it - but still, perhaps the logged on user is an admin and has deliberately disabled your admin account to lock you out and you do in fact have a mandate to examine the contents of the logged on user's session. It seems like the way forward is via such information as shared by the remote exploit group.
I think there is alot of confusion here.
You really have to differentiate between the corporate environment and a home user.
If you are just interested to know and you are going about it from the wrong aspect.
Outside of the corporate environments what you are talking about is both against the forensic principles and potentially illegal.
Inside the corporate environment you should have the permissions to do most things and it is legal, so most of what you are asking is by the by.
I think the questions the OP posted are valid - not in the context of a single home user, but perhaps in the case of a SOHO business, with a few networked PC's in a workgroup. The person mandated to do the investigation has the authorization to do so, but is working without the usual assistance to be gained by the various factors that a setup more common in the corporate environment would provide.
Thank you, mgilhespy.
I never mentioned the enterprise. I only mentioned Encase EE/FIM because those are the only versions that support *live* forensics, and this forum subset is dedicated towards live forensics.
It's not illegal if you have proper authority to seize the computer. So, let's say you get a court order/search warrant w/ an affidavit that states that the suspect states that their system is encrypted, online, and they say "you'll never get anything off it 'cuz it's encrypted." So, the police burst into the home and wait for you to arrive.
You arrive, the system is locked. The suspect is not cooperating. What are you, the forensics expert, to do? Stand there and look like an idiot, or proceed with a cold boot attack? The police and DA are expecting miracles from you, obviously.
Those would be my only two options it seems. Thanks again for everyone's input!
Greetings,
If you are truly out of options, you could use Metasploit to gain access to their system and drop a servlet on it. Once the servlet is running, use EE/FIM to collect RAM.
You'll be having a significant impact on the system but if it is your only option, and if you document what you're doing and its impact, it may be viable.
There's the firewire attack, but I've never been able to get it to reliably work.
-David
Samuel, I don't know anything about US law, but in the UK in the specific situation you just described above, the police can demand the subject hand over the password (under an act called RIPA) - it's an offence to refuse. The question here is, is the jail term for the RIPA refusal less than the jail term you would have got if the contents of your drive were found out…
Recent example case
Kovar, were you referring to Adam Boileau's method?
There are a few theoretical methods you could gain access, specially on XP.
Have you looked into the memory dump using Firewire on XP? Firewire uses DMA ergo bypasses CPU and OS . . .
This is old news ('05) but many machines specially XP, are still susceptible to this type of attack.
Greetings,
Aye, Adam's method.
-David
It's not illegal if you have proper authority to seize the computer. So, let's say you get a court order/search warrant w/ an affidavit that states that the suspect states that their system is encrypted, online, and they say "you'll never get anything off it 'cuz it's encrypted." So, the police burst into the home and wait for you to arrive.
You arrive, the system is locked. The suspect is not cooperating. What are you, the forensics expert, to do? Stand there and look like an idiot, or proceed with a cold boot attack? The police and DA are expecting miracles from you, obviously.
If the police and the DA are involved, then it is a fair chance to say that there is a court order in place. With that court order a suspect and (possibly) supervisors/admins could/should be held in contempt of the court. Also in the case US v. Boucher the suspect is being compelled to give up his encryption password, or provide a complete unencrypted copy of the files within “Z”. Once this decision gets made and there is some case law behind it, I believe forcing suspects (with proper cause) to divulge their password. Also using EnCase/FTK or other forensic programs have the ability to work with common encryption schemes. There may be a work around (probably will need a password) to working with an acquired image of an encrypted drive.
Also if a user is working on a company network, where there is an administrator in place, this situation should not exist. Even without AD in place, the admin (you) should have a viable option to recover/reset the password of a user account. It’s stupid and complacent to not. What if you’re served with a court order post termination? You’ll be caught with your pants down, and now you look like the…. Okay you get my point.
Lastly, this whole thread is getting very confusing OP. You keep going between a corporate, small, and home office. I’m constantly looking back at previous posts to find the correlation.
EDIT I meant to add this but I forgot to so I’ll edit it in. If the police and the DA are expecting miracles from you then you’ve set the expectations way to high, or it’s their first time prosecuting a DF case. You need to be sure that you set the expectations at a reasonable level or a litany of problems will ensue in the near future when work product data is produced. If you are having trouble figuring out where you should set their expectations, unsure how to articulate your methodologies, actions, and reasoning for doing x or y then you are in way over your head.