All,
I've been thinking a bit about Windows live acquisitions…acquiring an image from a live system…and the thought of stopping services occurred to me.
What services, if any, would you consider stopping prior to the acquisition? Would this depend upon the nature of the system at the time (disconnected from the network, or segmented in some way so that the provided services…Exchange, IIS, etc…were not available)?
I'd like to hear your thoughts, maybe what you've done or what procedures you've worked out.
Thanks,
H
I ran across some notes I had on windows protected storage service, pstores.exe. This process manges aka (protects OE and IE passwords) in a secure region of memory.
I do not know how efficient the XP memory manager is? I could not say whether or not stopping or killing this process/service would result in this memory region being reallocated and how quickly this memory would be reused.
I always thought the ability to extract OE and various IE passwords from memory would be beneficial. I know there exist various utilities to retrieve some of the passwords but these utilities go after the registry, OST, PST, and DBX files. I always thought it would be of more value to grab and decrypt what was in actual memory.
My best approach would be to define the services I could turn off. From the below list there are very few I would turn off. List included at the end of the diatribe. I'm not basing this any specific technical recommendation but pure gut rationale. Either the service might affect my imaging process or these services may contain data artifacts from previous activity (pure speculation on my part). When in doubt do not turn it off!
A technical reference on this topic would be nice. This has been on my research list for years – I just do not see any progress in the immediate future either!
YES Alerter Service
.NO Application Layer Gateway Service
.NO Application Management Service
YES Automatic Updates Service
YES Background Intelligent Transfer Service
.NO ClipBook Service
.NO COM+ Event System Service
.NO COM+ System Application Service
.NO Computer Browser Service
.NO Cryptographic Services Service
.NO DCOM Server Process Launcher
.NO DHCP Client Service
.NO Distributed Link Tracking Client Service
.NO Distributed Transaction Coordinator Service
.NO DNS Client Service
.NO Error Reporting Service
.NO Event Log Service
YES Fast User Switching Compatibility Service
YES Help and Support Service
.NO HID Input Service
.NO HTTP SSL
.NO IMAPI CD-Burning COM Service
.NO Indexing Service
.NO Internet Connection - Firewall (ICF) / Sharing (ICS) Service
.NO IPSEC Services Service
.NO Logical Disk Manager Service
.NO Logical Disk Manager Administrative Service
YES Machine Debug Manager Service
.NO Messenger Service
.NO MS Software Shadow Copy Provider Service
.NO Net Logon Service
.NO NetMeeting Remote Desktop Sharing Service
.NO Network Connections Service
.NO Network DDE Service
.NO Network DDE DSDM Service
.NO Network Location Awareness (NLA) Service
.NO Network Provisioning Service
.NO NT LM Security Support Provider Service
YES Performance Logs and Alerts Service
.NO Plug and Play Service
.NO Portable Media Serial Number Service
.NO Print Spooler Service
.NO Protected Storage Service
.NO QoS RSVP Service
.NO Remote Access Auto Connection Manager Service
.NO Remote Access Connection Manager Service
YES Remote Desktop Help Session Manager Service
.NO Remote Procedure Call (RPC) Service
.NO Remote Procedure Call (RPC) Locator Service
.NO Remote Registry Service
.NO Removable Storage Service
.NO Routing and Remote Access Service
.NO .ScriptBlocking Service
.NO Secondary Logon Service
.NO Security Accounts Manager Service
.NO Security Center
.NO Server Service
.NO Shell Hardware Detection Service
.NO Smart Card Service
.NO Smart Card Helper Service
.NO SSDP Discovery Service
.NO System Event Notification Service
YES System Restore Service
.NO Task Scheduler Service
.NO TCP/IP NetBIOS Helper Service
.NO Telephony Service
YES Telnet Service
YES Terminal Services Service
YES Themes Service
.NO Uninterruptible Power Supply Service
.NO Universal Plug and Play Device Host Service
YES Upload Manager Service
.NO Volume Shadow Copy Service
.NO WebClient Service
.NO Windows Audio Service
.NO Windows Firewall/Internet Connection Sharing (ICS)
.NO Windows Image Acquisition (WIA) Service
.NO Windows Installer Service
.NO Windows Management Instrumentation Service
.NO Windows Management Instrumentation Driver Extensions
.NO Windows Time Service
YES Wireless Zero Configuration Service
.NO WMI Performance Adapter Service
.NO Workstation Service
"A technical reference on this topic would be nice. This has been on my research list for years – I just do not see any progress in the immediate future either!"
I hear ya! Getting input from the community on this would be nice, too.
H
I dont have any helpful input, just questions. I hope this thread will accept.
Would you want to capture the physical memory and maybe process images first? I know I read about that somewhere. 😉
IMHO - you need to weigh your risks! Can you easily isolate the machine without causing damage (company economic, monetary, image and legal)? Your initial risk assessment should address these issues!
I believe this is where keydet89 question comes into play. I think the best approach would be to construct a risk matrix based upon risk categories such as "critical server (application support, database, etc), critial server external business operations, critical server internal operations, internal incident, external incident, continued threat, etc, ..", O
S services, Applications and Users.
Right now we are missing most of the OS services part. What can be safely turned off without adversely affecting other system componets – applications and potentially critical evidence.
In a perfect work you could pull the network plug and install your own hub and to your thing! Our world is far from perfect and many business operation managers do not think very kindly of such recommendations.
"…you need to weigh your risks!"
Right, but I think that most folks are probably looking to have those risks identified.
" Right, but I think that most folks are probably looking to have those risks identified."
I believe you are referring to "most folks" as CF/IR customers and not CF/IR professionals/technicians. With that said I've heard stories of the "raging bull in the china shop" or "damn the torpedoes full speed ahead" response scenarios. I believe those approaches to not bare much fruit - even when done by law enforcement, MHO!
I would think that a person of reasonable intelligence (business owner) should understand the importance of an up-to-date risk assessment. Given the SB-OX and personal information disclosure regulations being adopted at various state and federal levels a properly defined and maintained Incident Response Plan should be at the top of every CEO/CFO's list.
I'm getting off topic, sorry!
"I believe you are referring to "most folks" as CF/IR customers and not CF/IR professionals/technicians."
Actually, I'm not. Saying "you have to consider the risks" is all good and fine, but on other forums, there is that request…"what *are* those risks??"
"I would think that a person of reasonable intelligence (business owner) should understand the importance of an up-to-date risk assessment."
Right. Look in the media at TJX. There are others…risk assessments with regards to security (computer and network) simply are not done in many cases.
"…a properly defined and maintained Incident Response Plan should be at the top of every CEO/CFO's list."
Key words being *should be*. and I agree. But I have a really good job b/c that is simply NOT the case.
H