I'm getting all sorts of seemingly conflicting information during some research that I am currently undertaking in relation to software-based live acquisitions.
Helix, other distros and tools of course state that they do not write to disk contents - but is this true….? In mounting Helix and running dd therefrom say, can you be certain that it will not swap out memory on a Win system to pagefile.sys?
Does anyone out there know from testing/validating their tools whether any can claim this….? It seems to me that the host system would need the appropriate registry value set to stop this, requiring IMHO at least a gig of RAM.
Thoughts would be most welcomed.
If run the live Windows side of Helix you will write to the disk. I don't think there is anyway around that but it could be explained. If you are booting Helix and mounting the drive read only, you will not write to the disk.
I don't think that E-fense ever claimed that the windows side of Helix never wrote to the disk. That statement applies to the linux part of Helix.
As far as the windows part is concerned, it is certainly designed to minimize the footprint but in the end, it's just software running on an uncontrolled windows system. I don't think any software can run on such a system without altering it in some way …
Helix, other distros and tools of course state that they do not write to disk contents - but is this true….? In mounting Helix and running dd therefrom say, can you be certain that it will not swap out memory on a Win system to pagefile.sys?
This is a good question and raises a matter of distinction…in that, while the tools themselves do not necessarily write to the disk, the running live operating system does. Loading new processes into memory will cause data to be written out to the pagefile. Also, by default, Windows XP will create Prefetch files, assuming that the 128 *.pf limit for that directory hasn't been reached. Also, interaction on the system (in particular through the shell) will cause a number of entries to be made to various keys.
Does anyone out there know from testing/validating their tools whether any can claim this….? It seems to me that the host system would need the appropriate registry value set to stop this, requiring IMHO at least a gig of RAM.
Can you elaborate on which Registry value that would be?
Thanks,
H
Theres a good paper here on the WFT (Windows Forensic Toolkit) that Helix uses …
It states …
WFT modified a larger percentage of bytes than if we had let the machine continue to run unused for at least 15 hours!
Its a good read …
Ronan
Ronan,
However, in the context of that paper has to do with Windows memory analysis (I was in the audience for the presentation).
Another thing to consider is, does it really matter that WFT changed bytes in memory?
I agree that its related to the changes in memory however as the memory starts to fill it has to go somewhere. I believed it may be written to the pagefile. Hence, changes in memory may lead to changes to the pagefile. Whether Helix writes these to the pagefile file I'm not quite sure.
Ronan
I agree that its related to the changes in memory however as the memory starts to fill it has to go somewhere. I believed it may be written to the pagefile. Hence, changes in memory may lead to changes to the pagefile. Whether Helix writes these to the pagefile file I'm not quite sure.
I really thought I mentioned that already…
"Loading new processes into memory will cause data to be written out to the pagefile. "
But okay…
Yeah, I guess your post confused me slightly as I thought you were talking about running the actual OS instead of running Helix boot CD.
So if Helix Boot CD writes to memory, are the contents of memory written to the pagefile on the suspects HD?
If Helix is used in the Win WFT mode then I would say that it does matter that WFT changed bytes in memory. As a consequence of this the pagefile will change resulting in the possibility of evidence being lost.
while the tools themselves do not necessarily write to the disk, the running live operating system does. Loading new processes into memory will cause data to be written out to the pagefile. Also, by default, Windows XP will create Prefetch files, assuming that the 128 *.pf limit for that directory hasn't been reached. Also, interaction on the system (in particular through the shell) will cause a number of entries to be made to various keys.
I couldn't have articulated that better myself Harlan…..thanks.
Can you elaborate on which Registry value that would be?
I'm delving back into the mental archives here so i'd welcome you putting me straight if it's inaccurate…..
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management. Set DisablePagingExecutive value to 1.
I don't think that E-fense ever claimed that the windows side of Helix never wrote to the disk. That statement applies to the linux part of Helix.
I quote from Drew Fahey's 'Helix 1.7 for Beginners' manual version 2006.02 page 99, in "About" section;
"It boots from the CD media, while not touching the contents of your harddisk."
This statement is itself not accompanied with any Windows / Linux distinction, although it must be observed that earlier in the manual he is more specific about swap space not being mounted in Linux, moreso than any similar comment related to Windows.
So if Helix Boot CD writes to memory, are the contents of memory written to the pagefile on the suspects HD?
Ronan, it is my current understanding that if the prevailing state of the system is such that *any* application would force swapping to occur, the same will occur if that app happens to be Helix. We all understand that the pagefile can bring further context to memory contents, so this is an implication that examiners must account for.
Please shout up if this is not an understanding you concur with.
And thanks for the replies.