When performing a post-mortem exam of an acquired image from a Windows system, how do you go about your examination? I'm sure that while your steps are dependant upon the case, I'm also sure that there are some things that you do each time, perhaps everytime.
One example of my own initial analysis, particularly with a potential intrusion case or an incident involving a specific user, I will parse the contents of the UserAssist key and sort them in order based on the most recently updated entry. In many cases, I will extract information about USB devices connected to the system, and when they were last connected.
I'm sure that in almost all cases, one of the things that are examined is the time zone settings for the system.
What are some of the other steps that you follow?
Thanks,
Harlan
amongst others a few things I always do when I start a new case
doing a Hash Analysis, trying to sort out known files with hash lists, carve out files from unallocated clusters, establish a timeline, locate encrypted files, looking for passwords (user password, dial-up, email accounts etc.), booting the system with liveview (using a copy of the aquired image) if possible to get an overview
Chris,
Thanks for the response…do you do any Registry analysis at all? Just curious.
Also, how well does the file carving go, and what tools do you use?
How about the timeline? What tools and input data sources do you use?
Thanks,
Harlan
As you said, the focus of the examination will guide the steps taken. However, a few things that are common in all exams are OS info, time zone info (EnCase's Initialize Case Script covers all of this but I double check the time zone and owner info manually), hash analysis, and signature analysis. I also check for additional logical volumes, encryption containers, virtual machine files, and other places where things are not presented in an obvious manner.
From there, it really depends on what you are examining for. An analysis for data destruction or theft of IP would be much different from an internet acceptable use violation. On the LE side, an exam for fraud would be different than indecent soliciatation or child pornography. The pre-exam conferences are very important so you have a clear understanding of what it is you are examining for and what the client hope the exam shows or doesn't show. I'm a big fan of pre-exam planning meetings and building a "To Do List" for each case.
I like the suggestions of booting the image to get a feel for the acquired system. That is something I think I'll be doing more and more.
Chris,
Thanks for the response…do you do any Registry analysis at all? Just curious.
Mostly what you already mentioned - Userassist, USB-Devices, MRU entries…
Also, how well does the file carving go, and what tools do you use?
Sometimes it's amazing how much you can get doing that - but there are also cases where the results from file carving are pretty much useless. I try to use different tools on the same case like Encase, scalpel, foremost etc.
How about the timeline? What tools and input data sources do you use?
fls from The Sleuthkit to get the mactimes and Zeitline (a forensic timeline editor written in java, see http//
So what would you think of an application that extracted this sort of information automatically?
Say, something that ran through the Registry files and extracted (and were necessary, translated it) Registry entries, etc. Say, extracted the UserAssist entries and then sorted them based on the timestamp information? How about if the application could also do correlation? For example, it can automatically parse through Event Log files and extract not only the information, but present statistics about each of the .evt files themselves.
h
Such an app would definitely save a lot of time.
Number one on the wishlist would be a system independant implementation - perhaps in perl wink ??
(If possible without using native windows API calls)
Looking forward to read your upcoming book - BTW, if you need help with testing or proof reading just let me know…
> Such an app would definitely save a lot of time.
Not only that, it would be an effective force multiplier. Someone with minimal skillsets could run the tool, and it would use the combined experience of everyone who put effort into the tool to do data extraction and correlation.
> Number one on the wishlist would be a system independant implementation
> - perhaps in perl Wink ??
> (If possible without using native windows API calls)
That's sort of the tact I've already taken with many of the tools I've written for my upcoming book…many of the Perl scripts are platform independant. Also, I do provide standalone .exes so that folks without Perl can run the tools.
> Looking forward to read your upcoming book - BTW, if you need help
> with testing or proof reading just let me know…
Thanks, but it's already on its way into production.
h
Not only that, it would be an effective force multiplier. Someone with minimal skillsets could run the tool, and it would use the combined experience of everyone who put effort into the tool to do data extraction and correlation.
Interesting thought. I'm sure everyone has certain steps they take on every case. I've posed this question to other analysts in my area. Nobody answered, whether to "protect" their process or they just weren't confident in their answer.
I simply like the idea of knowing what others do to start their case. An automated process nailing the highlights would be even better. While confident in the steps I take, I'd sure hate to miss one that everyone else finds useful or important.
> I simply like the idea of knowing what others do to start their case.
Would you mind sharing what you do?
Thanks,
H