I have written a CMD script that runs several tools (e.g., netstat, memsnap, ipconfig) to collect state information about a machine for which we may have received a virus alert or other incident. The output from the tools are saved in several .log text files.
Since we have a lot of remote users, I'd like to pre-load the CMD script and tools onto all of our desktops/laptops so that in the event of an incident, the CMD script can either be remotely executing using PSEXEC or manually run. My concern is that once the script is executed, it is overwriting disk space which may contain valuable evidence. I can pre-create dummy files for each .log file with sufficient size. If I then run the CMD script, can I guarantee that the files space used by the dummy files will be overwritten with the files generated by my script? Is there still a risk that I will overwrite some other portion of the hard drive?
Before doing this, I want to make sure it is forensically sound.
Thanks
Sebouh
If I then run the CMD script, can I guarantee that the files space used by the dummy files will be overwritten with the files generated by my script? Is there still a risk that I will overwrite some other portion of the hard drive?
I think that there is a high chance that your new data will not overwrite the old files unless you use more complex file access methods that just outputting a text file.
You could, of course, create a small partition just for your log files which would achieve the results that you want. Perhaps you should also consider hiding the partition to discourage the user from using it.
Well you could also look at logging to a network share since you are kicking off the tools remotely. That way you have it all in a central place off of the machine in question.
Another issue to consider is if you are putting these tools on the local machine, you need some way to make sure the tools haven't been altered when it comes time to use them. If the machine gets compromised, what's to say the tools you put there won't be modified (or even help the attacker)?
Just my .02, keep the change….
Tom
Tom,
Sending logs to a network share is an option I am considering. If the script sees that if the machine is online and the network share is available, I can put them there. Otherwise, if offline, then I would want to store locally.
I've thought about the potential of the tools being modified if the machine has been compromised. I have renamed the tools from their original name (e.g., netstat.exe is now x_netstat_x.exe) so if a machine is compromised and either tries to corrupt files named netstat.exe or monitors processes and kills programs like netstat.exe, this at least reduces the possibility there will be a problem.
Ron,
Most of the log files are created by redirecting STDOUT to a file, so I don't see a problem. Also, since my original post, I created dummy files and using various iterations of my script and a file recovery tool RecoverMyFiles, it looks like no intermediate or temporary files are being created by my script.
Partitioning is an option, but with a few thousand machines this is not something that can easily be set up until each machine is reimaged.
Thanks
Sebouh
If you want to create a "dummy file" and be sure that the data you are capturing goes into the file, consider using TrueCrypt. You can create a TrueCrypt file ahead of time to a pre-defined size. Mount it as a drive letter and then redirect your output to that drive which will be stored inside of the TrueCrypt file.
For the record, you do not actually need Truecrypt or any form of encryption, you can use as well IMDISK, or VDK.EXE, or, should you be "confined" to "only MS files", the Virtual Disk Drivers within the VSS SDK
http//
http//
depending on the size of the logs, you may also use VFD.EXE with a 1.44 or 2.88 Mb floppy image.
Probably using a bigger HD image, you can fit ALL the tools inside the same image, with the advantage of an easier deploying, but possibly of a slightly more complex procedure to retrieve the logs.
jaclaz