Hello everyone,
This is my first time posting so I hope that I don't violate any customary procedures.
I am looking for some guidance. I am familiar with live forensics or incidnent response, but my question is regarding doing static forensics on an imaged (dd image) hard drive. I would be doing static forensics w/ tools such as FTK or Encase etc.
W/ live forensics I would be looking for running processes, live network connections etc. Can you please recommend some of the things that I would be looking for in a static image? First question you might ask me is to be more specific in what are you looking for? I am looking for signs of a hack. This is not a real incident, so I don't have specifics. This is more of a drill for future issues. I assume that I would look for artifacts that are listed in the /run, /runonce, /service, prefetch files. What kind of windows logging would I be looking for? So if this was an IIS server I might be looking at application logs or the windows application logging feature, but what about workstations. I guess security logging for brute force attacks. Any other suggestions? Again I am just trying to see the different ways to do forensics w/ a static image verse a live image.
Also would I be able to put that dd image (or what ever was used to image the drive) into Vmware? Or can I just mount it as a share and then conduct live analysis on the image?
Any help would be appreciated. Again I appologize if I don't have more info that might be asked of me, but I can try to supply it.
Thanks,
Jake
W/ live forensics I would be looking for running processes, live network connections etc. Can you please recommend some of the things that I would be looking for in a static image? First question you might ask me is to be more specific in what are you looking for? I am looking for signs of a hack.
If you are interested in investigating "a hack", then the analysis of "live" data and "static" data are largely inseparable. What you find in one will lead you to evidence in the other. This is also true for log correlation (eg IDS), etc.
You need to read
Also would I be able to put that dd image (or what ever was used to image the drive) into Vmware? Or can I just mount it as a share and then conduct live analysis on the image?
Have a look at
Barry
Barry,
You da man! You da man!
Jake,
W/ live forensics I would be looking for running processes, live network connections etc. Can you please recommend some of the things that I would be looking for in a static image?
Well, depending upon the nature of the situation, I'd recommend things like user profiles (time/date of creation, as well as user activity), Registry analysis, etc., as a beginning.
First question you might ask me is to be more specific in what are you looking for? I am looking for signs of a hack. This is not a real incident, so I don't have specifics. This is more of a drill for future issues. I assume that I would look for artifacts that are listed in the /run, /runonce, /service, prefetch files.
Prefetch files indicate that you're looking at a Windows XP system.
Also, before assuming that you're want to look at the mentioned Registry keys, be sure that you understand how they fit into the overall operation of the OS, how they're modified, etc.
What kind of windows logging would I be looking for? So if this was an IIS server I might be looking at application logs or the windows application logging feature, but what about workstations. I guess security logging for brute force attacks. Any other suggestions? Again I am just trying to see the different ways to do forensics w/ a static image verse a live image.
Well, I'd suggest that you start from the perspective of having two piles…one is all of the things you can look to in a Windows system, and the other is your 'hack'.
The answer to your question is somewhat encyclopedic…which is why I'm glad Barry pointed you to my book. Take your question on logs, for example…I usually start by using RegRipper to extract the Registry hive files from the image, and then determine if EventLog auditing is enabled, and if so, to what degree. That's a quick and easy way to get your question answered. If there's possibly something of interest, I use evtrpt to give me an overview of what event sources and IDs are available, and what the date range of event is. RegRipper gives me a great deal of additional information from the Registry.
You're question of application logs depends on what applications are on the system. IIS logs are good…depending upon the situation. For example, if someone brute forced an account, and you're not auditing for successful or failed logins, that's no good…and IIS logs may be no good or useless as well. By default, the XP firewall doesn't log. By default, MS SQL Server doesn't log a great deal.
Also would I be able to put that dd image (or what ever was used to image the drive) into Vmware? Or can I just mount it as a share and then conduct live analysis on the image?
Well, like Barry said, there's LiveView. But you need a password to be able to log in.
You might want to check out this blog entry for other options, such as mounting the image as a read-only file system rather than booting it
http//
If you have any additional (and specific questions) please feel free to reach out.
h
keydet89 and bgrundy,
Thanks for your information, that is exactly what I was looking for.
Jake