Forums
Main Category
General (Technical,...
Triage - live boot ...
 
Notifications
Clear all

Triage - live boot cd with just one task

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by jhup 14 years ago
8 Posts
7 Users
0 Reactions
1,084 Views
RSS
Differentlayer
 Differentlayer
(@differentlayer)
Active Member
Joined: 16 years ago
Posts: 10
Topic starter 23/02/2011 2:32 am  

Hello!

Background
My office has a 4 months backlog. We discuss some alternatives how to reduce that. 95 % of the computers are Windows XP or newer.

Possible solution
A live cd (forensically sound) to boot the suspect computer with. The only task is to present when the computer was last shutdown (extracted from the registry or event log).
If the date is out of the scope for the investigation, the computer is discarded (a calculated risk is taken) as evidence.

Question
Is there such a product or close to it? I have tried some triage software with various success. Is there a more intelligent way to reduce the backlog without to much work?

Many thanks in advance
Best regards
//D


   
Quote
hcso1510
 hcso1510
(@hcso1510)
Reputable Member
Joined: 15 years ago
Posts: 303
23/02/2011 6:51 am  

Is this just a back log in general for multiple types of investigations or is it specific to one type of examination like CP or something else?


   
ReplyQuote
Differentlayer
 Differentlayer
(@differentlayer)
Active Member
Joined: 16 years ago
Posts: 10
Topic starter 23/02/2011 12:29 pm  

The cases are mostly related to narcotics and contraband.
The computers are not the most important evidence. There is nearly always another seizure (ie drugs) inolved. My deparment only work with CP when it is classified as contraband (physically moved across a border).

//D


   
ReplyQuote
 stumpy
(@stumpy)
Eminent Member
Joined: 19 years ago
Posts: 23
23/02/2011 3:18 pm  

I have developed my own system for dealing with the backlogs, it runs off CD, USB or can be installed to a workstation to deal with loose hard drives.
Basically you boot the suspect system, launch the program then attach an external drive for all the output to be sent to. The program aggressively goes after graphic and movie files, it uses file signature checks, analyses various file archives such as zip, rar, .iso etc, decodes any
email attachments, everything is exported to the hard drive. It also does
a number of routines to try and identify encrypted data (and recover any potential encryption keys). It does some keyword searching through the MFT/FAT/Inode table, web history, P2P client history files and some other structures.
It also creates a summary report on what it finds, one of the things that it does report is the last shutdown time for Windows machine (this data taken from the registry).

The system is designed for IIOC jobs. Although there is a module for our asset recovery team. The problem for you would be that you have to run the whole program, which will take several hours.

I 'should' be able to create a program that does just the last shutdown time and remaster the disk, however it will take me a few days to sort out.
PM me and I will see what I can do.


   
ReplyQuote
 4n6x
(@4n6x)
New Member
Joined: 15 years ago
Posts: 2
23/02/2011 3:59 pm  

@differentlayer

Check out Harlan Carveys excellent RegRipper (http//regripper.net/).

It's free and excellent!

However, if you want a total triage solution - We produce a forensically sound tool (SPEKTOR Forensic Intelligence) that is touch screen driven and designed to enable very fast yet comprehensive forensic triage in the field or lab. It handles computers, loose hard disks, USB/Firewire devices, memory cards, cell phones and GPS devices. Check out www.evidencetalks.com or PM me for more info.

Relevant example output

Computer Name ***
Last shutdown time Mon Feb 14 104152 2011 (UTC)

Username Fred
Full Name *******
Last Login Date 10/01/2011 170935
PWD Reset date 2105/2008 075220
PWD Fail Date 16/11/2010 170448
Login Count 217


   
ReplyQuote
 Chris55728
(@chris55728)
Eminent Member
Joined: 20 years ago
Posts: 49
25/02/2011 2:25 pm  

I would second the use of RegRipper as well.

Another alternative would be to use ADF-Triage from ADF Solutions or you could just remove the drive/s, preview them in EnCase, open the SYSTEM hive and look at the ShutdownTime key.

Bear in mind that the ShutdownTime is the last CLEAN shutdown. If the user decided to just switch off or pull the plug you need to look a bit deeper perhaps at event logs.


   
ReplyQuote
digintel
 digintel
(@digintel)
Trusted Member
Joined: 17 years ago
Posts: 51
15/03/2011 6:53 am  

I would second the use of RegRipper as well.

Another alternative would be to use ADF-Triage from ADF Solutions or you could just remove the drive/s, preview them in EnCase, open the SYSTEM hive and look at the ShutdownTime key.

Well this is getting boring, but
I second the use of ADF-Triage, esp. when dealing with multiple systems, it can save a lot of time. I does need some extra work before deployment (creating search packs), so you need to have at least an idea of what you're looking for (certain words, pictures, documents, whatever).

- Roland


   
ReplyQuote
jhup
 jhup
(@jhup)
Noble Member
Joined: 16 years ago
Posts: 1442
15/03/2011 7:09 pm  

Take a look at this product - http//www.ldiscovery.net/remote_collection_manager.htm


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: