When you do forensics, try doing everything in off-line mode, usually with external tools, gathering your needed informations from a read-only source image.
RAM goes first, as mentioned above.
As for what tool to use, you can do well just running a few pieces of code that is probably already on the system, like for example REG.EXE and WEVTUTIL.EXE, you can get lots of data without leaving (much of) a footprint on the system.
WEVTUTIL QE Security >X\security.log
WEVTUTIL QE System >X\system.log
WEVTUTIL QE Application >X\application.log
REG EXPORT HKCU X\hkcu.reg
REG EXPORT HKLM X\hklm.reg
Where X is a USB stick or some external media. I wrote such a script today to triage a client computer for a current incident that gathers lots of info from the system using only existing binaries.
If you're collecting WEVTX and Registry data for processing, why not go with collecting them in their native format?
For example, rather than 'wevtutil qe', go with 'epl'. Rather than "reg export", use 'reg save'. This allows you to then parse and analyze them using tools such as LogParser, RegRipper, etc.
Also, in today's day and age, when working with Windows Vista systems and above, if you're just getting the "big three" Windows Event Logs, you're basically blinding yourself, and tying your right wrist to your left ankle…so…yeah.
Why not try the free Belkasoft Evidence Center trial to see if you discover your needed stuff ?!
Yes, you can copy the files to a stick or run them from a different computer.
You collect them in text format if you want to parse them with tools that are good with parsing them and not support their native format.
It was a sample triage script, when you get a large problem, you triage (hence the name) off USB or by directly connecting to the system. When you have a small problem, you can do proper offline, readonly forensics. Time is a factor.
But i have a doubt, for example a malware could modify reg and wevutil to corrupt the output from the command,no? Can i copy them from a safe system into my usb and use the safe version of them? for example
move C\Windows\System32\wevtutil.exe X\WinBackup\wevtutil.exe
move C\Windows\System32\reg.exe X\WinBackup\reg.exe
move X\wevtutil C\Windows\System32\wevtutil.exe
move X\reg.exe C\Windows\System32\reg.exe
Two things
1) "move" is NOT "copy"
2) for the same reasons you posted (the possibility that a malware corrupts either wevtutil.exe or reg.exe, there is nothing that excludes that the malware ALREADY corrupted them OR that it would corrupt them during the copy operation, as a matter of fact the hypothetical malware could well be triggered exactly by issuing a "copy" command.
So - theoretically - you should have on an accessible USB stick YOUR OWN (already checked) copy of reg.exe (in a version compatible with the OS at hand and also the same applies to wevtutil.exe (which I believe has additionally, unlike reg.exe, a number of dependencies).
All in all, if you fear that such a malware exists, it would IMHO make more sense to copy the actual .evtx (and Registry) files and analyse them with a third party tool (known to be working and surely not tampered with).
jaclaz
Hi,
You should give a try to
Besides being portable, it is really fast and easy to use.
It collects all items listed below
- RAM Image
- $MFT
- System Information
- Event Logs
- Registry Hives
- Recycle Bin Information
- Screenshots
- Prefetch Files
- WMI Scripts
- Clipboard Content
- DNS Cache
- ARP Table
- IP Routes
- TCP Table
- UDP Table
- Network Adapters
- Hosts File
- $LogFile
- $USNJournal
- AmCache.hve
- PageFile.sys
- Hiberfil Information
- Crash Dump Information
- Network Shares
- System Restore Points
Hi Everyone,
Yesterday we have released version
We are working hard to release TACTICAL Edition at the end of month with the following features
- Unlimited Triage / IoC Scan with YARA
- Hash calculation for collected evidence
- Volume encryption detection (software agnostic)
- Detection of Time-stomp'ed files
- Custom Content Imaging
We would love to hear your feedback and comments about the above features and also please let us know what features would make your job easier (especially for Law Enforcement people).
Thanks.
