Although there is a great deal of data running in memory, it is still important to acquire the hard drive from a potentially compromised system. There is a great deal of evidence on these devices, even in the case of malware or other exploitation. Hard drive evidence becomes even more important when examining potential incidents such as internal malicious action or data loss. To ensure that this evidence is available and can be utilized in a court of law, incident responders should be well versed in the procedures we've discussed in this chapter.
In certain circumstances, incident responders may want to acquire two key pieces of data from suspected compromised systems before shutting down a running system. While not volatile in nature, the registry keys and event log files can aid analysts during their investigation. Acquiring these files from an imaged hard drive is largely dependent on the time that's needed to image and then process the entire hard disk drive. As a result, there are a few techniques that can be leveraged to acquire these key pieces of evidence.
In the event that analysts have access to the system, they can utilize the command line to access the log files by running the following command:
C:wevtutil epl<Log Type> E:<FileName>.evtx
This command can be repeated for security, application, and system logs.
FTK Imager also allows for the capture of registry key settings and other information that can aid in an investigation. Let's take a look:
- Open FTK Imager and navigate to the File tab.
- Click on Obtain Protected Files. The following dialog box will appear:
- Click on Browse... and navigate to the evidence file location.
- Next, click the radio button for Password recovery and all registry files and click OK. Once the tool completes, the registry and password data will be transferred to the evidence folder. This command directs FTK Imager so that it obtains the necessary registry files to recover the system passwords. These include the user, system, SAM, and NTUSER.DAT files. From here, analysis can take place before the imaging process. This allows for a more rapid response to an incident.