Im looking for some info or documentation on taking an image of a live running machine vs pulling the plug, removing the HD and using that against a write blocker.
1. What will I miss out on potentially by pulling the plug and imaging at a later date?
2. By logging in as an administrator and imaging out using FTK to and ext HD how many files am I modifying, I've found quite a few, although this wont amend any docs images etc, which would be core evidence. As well as running FTK Imager from CD / USB, and plugging in my Ext HD for the image.
3. If the suspect is currently logged into the network, should I log them out or leave them logged in. For info if they arent admin we wouldnt be able to get an image using FTK light
I'll keep researching in the mean time.
Not to beat a dead horse
We are getting the flies on the dead horse however so it's not in vain. )
Are you calling me fly? lol
Well, gee. I hadn't thought of it that way. ) Hope you know we're not picking on YOU but the horse. )
A couple of things I would be worried about losing if I pulled the plug are
• Evidence from remote sources that the user is logged in to. (e.g. web mail). Under our search provisions (Section 487(2.1) Canadian Criminal Code), we are authorized to search “any data contained in or available to the computer system”. That means that if the user is logged in to a remote mail server, even in another country, we can search their email and presumably download it or print it out. We’re still waiting for a court challenge however and unless (1) the data is critical to the case and (2) the investigating unit is ready to set case law, investigators may not want to go ahead and do this. Maybe your search provision wording is similar.
• The Trojan defense – you may want to run a live-analysis CD and do a port scan, list the running processes, and even do a memory dump to mitigate the “my computer was hacked” defense (e.g. in CP or music/video download cases). [See Anson and Bunting’s “Windows Network Forensics and Investigation” Chapter 6 for info on creating and using live analysis CDs.]
• Some registry info like the user’s recent web history. If you want to show that the user that you actually found sitting at the machine was visiting a specific set of web sites you may want the registry entries relating to his current session. Unfortunately, these entries do not update until IE is shut down. If you pull the plug before shutting down IE, you lose the info relating to his current session. Then you have to worry about placing the user at the machine during the previous session, and if his password is insecure that may be a problem. The more you can actually do to place a specific user at a machine, visiting specific web sites, the better.
• Access to encrypted folders (e.g Windows EFS). If you pull the plug you will no longer be able to access a user’s encrypted folders without obtaining their password.
Just some quick thoughts, although there is other info you might lose too…
Just some quick thoughts, although there is other info you might lose too…
Some excellent points there, thanks for sharing them. What were the other bits that you stand to lose which you mention?
• Some registry info like the user’s recent web history. If you want to show that the user that you actually found sitting at the machine was visiting a specific set of web sites you may want the registry entries relating to his current session.
Can you expand on that a bit…such as, which Registry keys are you referring to?
Thanks,
Harlan
About a month or so ago I started casually verifying at what point different Registry values updated (e.g. immediately, when the application shut down, etc.). Most keys appeared to update immediately, but some keys e.g. HKEY_USERS\User’s SID\Software\Microsoft\Internet Explorer\TypedURLs only updated when the application associated with them (IE) was cleanly shut down. I seem to recall running across several other values that didn’t update immediately.
I'd love to give you a list of Keys along with the update details, but like I said, this was just some fairly casual hacking around and my notes are pretty sketchy. Come December I’ll have time to take a systematic look at Registry values and document their individual behaviours. (Or has someone already done this?)
As for what other data can be lost by pulling the plug, I think Harlan (and a heck of a lot of other folks) probably know more about this than I do (see his “Windows Forensic Analysis” book). The short answer is any data in RAM or coming in on the NIC (or any other interface).
My main interest is in search and seizure on computer networks and I can tell you that pulling the plug on networked PCs with open database sessions can lead not only to lost data, but a damaged database. I also once killed a Novell server by pulling its plug – fortunately it was one of mine.
What have you been using to image live systems? FTK IMager? Iwant to image out to Ext USB. So I would ideally like to run ftk imager off cd or usb drive. I think with admin rights I could do this without having to log the user out his session, and potentially loosing even more evidence.