CHAPTER 7
Live vs. Postmortem Forensics
We’ll Cover
 
image   Advantages and risks of live forensics
image   When live forensics is the best option
image   Tools for live forensics
image   Advantages and risks of postmortem forensics
image   Postmortem memory analysis
 
Traditionally, and promoted heavily in this book, postmortem forensics is the recommended usual method of performing forensic examinations. Postmortem is a low-risk proposition to most investigators who are trying to solve crimes that happened in the past 6 to 12 months. However, with the growth of incident response methods and investigations of activities as they are occurring, the advantages of live forensics are swaying many examiners in that direction. A large and growing debate in the computer forensic and incident response community is focused on the advantages and disadvantages of live system forensics versus postmortem forensics. This chapter covers the pros and cons of both approaches and some live forensics–specific tools and techniques.
LINGO
As the name would imply, during a live forensics examination, you are examining a live system. In a live forensic scenario, you would log into the system, if you’re not already logged in, attach an external storage device or network storage location, and begin dumping data from the running system. The main additional evidence in a live forensics examination, beyond the hard drives, is the content of the system memory. This information is quickly lost once the machine is powered off, so live forensics is the best way to access it.
LINGO
Postmortem forensics refers to the examination of a “dead” computer. Postmortem forensics indicates that at the time the evidence was captured, the system was powered off. The evidence you are reviewing is from a powered-off system.
Live Forensics
The biggest advantage of live forensics is that it offers the examiner the ability to capture the information stored in memory. Using the tools detailed in this chapter, you could preserve the contents of the running systems memory and map those contents back to the programs that stored them. Two major scenarios benefit the most from live memory analysis: The first is malware that resides only in memory (without live memory preservation, you may have never found it). The second is the potential ability to recover authentication and encryption passwords loaded into memory.
Live forensics can pose high risks, depending on the precautions that you take. For example, if you are preparing to perform live forensics on a system and you cannot disconnect from the network, you are risking an external user wiping information from the system before you can preserve it.
Another major risk in live forensics regards the tools or actions you use; these can have an impact on what is retrievable as well. The larger the tool you load into memory, the more you have overwritten data that was previously contained in the page file, and if you are saving data onto the local disk, you are overwriting potentially recoverable deleted files.
Always consider the impact of your tools on the system and what your ultimate goal in recovery is to determine whether these risk factors are relevant to your investigation. Also make sure to document all the tools and steps you followed when performing live forensics, because you’ll need to show what changes your actions made to the system.
In Actual Practice
If you are performing live forensics from incident response, you more than likely are not interested in all the deleted data on the system. Instead, you are more concerned about what rootkits and other malware have been loaded onto the system, which memory analysis can reveal to you. When you know that deleted files are not going to be as critical to your examination, or that litigation will not follow your investigation, you do not have to be concerned as much about the changes you’ve made to the system in your live forensic review.
Just because you are examining the system live does not mean you shouldn’t preserve a forensic image of the system. Being able to preserve the system as it stands in both memory and storage allows you to go back and look deeper if this is required in the future.
image Caution
Remember that if you are going to preserve evidence, do it before you begin your analysis, or else you’ll be changing files and/or dates you will want to rely on at a later date.
When Live Forensics Is the Best Option
In several scenarios, live forensics becomes a better option than postmortem forensics.
image Caution
If we don’t list a scenario you are facing and that you are considering using live forensics for, don’t assume that you shouldn’t continue down a live forensics path. Use your best judgment, and, when possible, inform whoever is requesting you to do the work of the risks involved in live forensics to make sure they understand them before authorizing you to use these techniques.
Live Imaging
If you are looking to investigate a production server, but you are mainly interested only in postmortem analysis, you can make a forensic image of the live system; we call this live imaging. Live imaging is ideal, for example, when you’re working with a system with a large volume of data, and it can’t be taken offline for the amount of time you require to forensically image it. In those cases, the burden of loss from the system being down outweighs the traditional benefits of powering off the system and creating a forensic image. A couple other valid scenarios for some investigations includes dealing with RAID or SAN storage that would be too difficult to re-create offline, or perhaps there are no drivers for your forensic software to use when you’re trying to access it as a complete disk from a bootable forensic media.
When performing live imaging, make sure that you run your tools from external storage, and store your evidence on external storage as well to minimize your impact to the system.
LINGO
When we discuss burden here we mean it in the legal sense of the word. A court will usually not make you perform a task that is too burdensome to bear, unless there is no other option and the likelihood that it will deliver evidence relevant to the case is high. In the case of live imaging, the burden of downtime in a production environment is a good reason not to follow traditional methods, and that counts even in court.
Incident Response
When you are working on an incident response case, live forensics is really your only option. The only way to track down an attacker who is live on your network is by using live forensics to start analyzing memory and track network activity. In these cases, postmortem forensics may be something you do after the incident is over, but live forensics is the standard for your analysis.
Malware Analysis
Malware analysis requires live forensics as well. Oftentimes, you must quickly understand what a piece of malware is doing and you need to inspect the system memory, which is best captured with live forensics tools. Once you have captured the system memory, you can parse it with third-party tools that are outside the reach of the malware, preventing it from being hidden and allowing you to find all the files it is touching and actions it is taking.
LINGO
Incident response is becoming a broad term that is used to refer to any activity for which you are starting an investigation in immediate reaction to a perceived security incident. Incident response follows, for example, a network breach by an external hacker, a situation in which targeted malware is threatening your system, or if a virus outbreak or a network outage occurs. Many times when incident responders are describing their work, they call it “DFIR,” which stands for digital forensic incident response and shows that they live on both sides of the fence. When I talk about incident response in this book, I am usually referring to external attackers.
Encrypted Systems
If you are dealing with an encrypted file system, live forensics can offer you two advantages. First, some full-disk encryption packages will provide fully decrypted physical disk access once credentials are accepted; this means you can live image the decrypted disk without having to obtain the encryption keys. Second, there is a chance that the encryption package has kept the encryption keys in memory, which you can extract with live forensics and memory analysis.
LINGO
With full disk encryption, the entire storage device is encrypted; this includes the partition tables and the free space of the drive. The only way to get access to the decrypted contents of the drive is to live image it or get access to the key or escrow key to decrypt it afterward. Both FTK and EnCase provide support to load encryption keys from most manufacturers for on-the-fly decryption.
In Actual Practice
Newer versions of full-disk encryption software show the physical disk as encrypted even when the system is booted into the operating system. In those cases, there is no getting around having to decrypt the image afterward if you are going to create a full forensic image.
Nonsupported File Systems
Suppose, for example, that an investigation leads you to a legacy system with data you need to review on a file system that no forensic tool supports. You could create a forensic image of the disks, but other than being able to perform a keyword search or carving for known file types, you won’t be able to see the structure of the file system. In such situations, live forensics allows you to make a backup of the system to an intermediary form (tape, zip, tar, and so on), depending on what the operating system supports. This is often the only way to preserve data in a reviewable form from these systems.
There are exceptions to every rule, of course. If the operating system stretched the file system across multiple drives in a volume storage pool, even carving may have limited success, since the data could be written across multiple disks.
In Actual Practice
Sometimes what becomes a legacy nonparsable file system will suddenly be supported. Such is the case of IBM’s Journaled File System 1 (JFS1), the non–open source variant of JFS (JFS2 is open source and widely supported). JFS1 was the default file system for AIX, and until the last few years, it was not supported by anything other than another AIX system. Since then, EnCase now offers support for JFS1. The lesson here: make sure to keep up with current tool capabilities to find out if legacy systems might actually have forensic tool support.
Enterprise Forensic Tools
Your forensic software vendor might not come out and say it, but any enterprise forensic tool that deploys agents to remote systems to collect data is doing live forensics. You will hear arguments that this tool is slightly different from standard live forensic methods since the tool is preloaded, and thus its execution does not change the system radically, but its methods of access and the risks associated with live forensics all apply.
image Note
Enterprise forensic tools can include any type of forensic tool that can access devices over the network and pull forensic images and other types of data. A few examples of these are EnCase Enterprise, AccessData Enterprise, and Paraben P2 Enterprise Edition (P2EE).
Tools for Live Forensics
I’ve talked about the need for live forensics and when its most appropriate to use, but I haven’t really talked about how to take advantage of live forensic techniques. The main advantage of live forensics is that it offers you the ability to gather data that you normally wouldn’t have access to, specifically the system memory of the running device. This section discusses how to preserve the system memory, several tools that can analyze system memory dumps, as well as other live forensic utilities that you will find helpful. I do not go into depth on procedures or techniques for memory analysis, because that is a much wider topic covered by other books, blogs, and web sites.
Memory Dumping
Before you can analyze the memory from a running system, you need a way to extract information out of the system and into a file. Every operating system has a different method to provide access to the system memory, so this section will detail tools that can accomplish this for each operating system. For security reasons, you must be logged in as the administrator, root, or superuser to dump memory from most operating systems.
image Tip
Always remember to match your memory dumping tool with the addressing scheme of the operating system. For instance, if the operating system is 64-bit, make sure the memory dumping tool you choose to run in it is also 64-bit if you want to create a full memory dump.
Windows   Once you have administrator access to the system, you can acquire the system memory using a variety of tools. As long as you are dumping the system memory into a raw format, all tools should be equal in their result. Which tool you use will depend on the version of Windows you are using and which interface you feel comfortable with.
 
image   Memoryze   Memoryze is a free but not open source tool from Mandiant that is actively being developed. Memoryze can not only acquire a memory dump, but it can also analyze it. You can download it here: http://www.mandiant.com/resources/download/memoryze.
image   Mdd   Mdd, or Memory DD, is an open source tool from ManTech that allows you to capture the system memory. However, the tool is no longer updated as of 2009 and may not support newer operating systems. It can be downloaded at http://sourceforge.net/projects/mdd.
image   DumpIt   DumpIt by MoonSols is the current replacement for win32dd and win64dd by the same author. It requires no configuration or switches; just run the program and obtain a full image of the running memory. You can download it here: http://www.moonsols.com/ressources/.
image   FTK Imager   Not only can AccessData’s FTK Imager acquire a physical image of a hard drive, it can also capture the system memory into a raw file. You can download it here: http://accessdata.com/support/adownloads.
Linux   In earlier versions of the Linux kernel, you could just use dd to copy the contents of /dev/mem, although many advised against this. Since the introduction of the 2.6 kernel, that pseudo-device has been removed, which means we now need other tools to gain access to system memory.
 
image   Fmem   Fmem is free and open source, when compiled it will create a loadable kernel module that will create a device named, you guessed it, /dev/fmem. Once the device exists, you can use dd to image it as you would any other device. You can download it here: http://hysteria.sk/~niekt0/foriana/fmem_current.tgz.
image   Second Look   Second Look is a commercial product from Raytheon that is unique in that it can acquire memory locally or over the network. The network functionality adds a dimension to Second Look that may make the price worth it, depending on your environment and need. You can find out more about it here: http://www.pikewerks.com/sl/.
Memory Analysis
Now that we have the memory dump we can analyze it. Like the tools mentioned so far, memory analysis tools come in various states of license and cost, but in the end all should show you the same information. What will differentiate the tools is the level of automation that exists to identify areas of memory that are either known issues or known to be of interest to an examiner.
 
image   Volatility   Volatility, from Volatile Systems, is a popular and free framework for memory analysis. The community behind volatility is constantly increasing the capabilities of the tool. If you are looking for a more hands-on analysis framework, Volatility may be your best choice. You can download it here: https://www.volatilesystems.com/default/volatility.
image   FTK   FTK, discussed throughout the book, also offers a memory analysis function. You can load in the dump created by FTK Imager into FTK and visualize processes to memory locations for quick review.
image   Memoryze   Memoryze not only captures RAM, but it provides tools for analysis as well. The Memoryze community is largely focused on incident response and malware analysis, but standard forensic investigations are also supported.
Live Imaging Tools
I’ve talked about memory analysis, but that is only half of what I would recommend you preserve in a live forensic investigation. If you are going to capture the memory of a running system, you should also capture the contents of the physical disk. Having this data can at least help you determine a key fact or recover a deleted log or sniffer log left behind by malware. Two tools are useful for live imaging.
image Caution
If you do not trust the system you are analyzing (for example, you think an attacker/ suspect may have replaced the standard binaries with his own tools), make sure to call tools such as dd and others only from a statically compiled toolkit on your own CD, thumbdrive, and so on.
 
image   FTK Imager Lite   FTK Imager offers a version called FTK Imager Lite that was made for live imaging situations. It’s packaged not to be installed, but to be run from external storage devices. If you are live imaging a Windows system, you’ll like FTK Imager Lite. You can download it from http://accessdata.com/support/adownloads.
image Note
You must be logged in as an administrator to access the physical disks in Windows.
 
image   dd   If you are live imaging a Linux system, nothing beats standard dd. There are a few variants of dd, such as the popular dcfldd, but dd comes standard on almost all versions of Linux. This means you don’t have to add any software to the system and can write out your forensic image to any available network or external storage location.
image Note
You must be logged in as root to access physical disks in Linux.
Postmortem Forensics
The biggest advantage of employing postmortem forensics is its low risk. When you are doing any type of preservation or examination of a dead or powered off system, there is no risk that an external threat can change or destroy the system you are trying to preserve or examine. In addition, postmortem forensics typically requires no knowledge of a password or other credentials to access the system, unless the drive is encrypted.
In Actual Practice
Having said this, there are risks in postmortem analysis. The biggest risk occurs during the forensic imaging process, when modifications can occur to the original evidence during the process. Even after you’ve captured 100 forensic images, all it takes is one careless action to inadvertently modify number 101. When you are performing live forensics, people understand and accept that changes will be made to the disk before making the image and during the imaging process. When you are forensically imaging a powered-off system, any change will be much more heavily scrutinized—that’s not to say the evidence is no longer valid, but it does certainly require much more to defend it.
Postmortem Memory Analysis
So you want to get all the great additional information that you get from memory analysis but you are stuck with a powered-off system, or perhaps the events you are investigating occurred in the past? Worry not, because there are two major sources of offline memory stored for your review: core dumps and hiberfile.sys.
Core Dumps
Core dumps in both Windows and Linux can be loaded or converted into most memory analysis tools. Core dumps are created when an application error occurs and the application can no longer continue. In an attempt to help the developer diagnose the error, the system will write out the contents of memory to a file on the disk. In Windows, look for files with a .dmp extension. In Linux, look for files named Core or core.
Hiberfile.sys
On any Windows system that has ever been put into Hibernation mode, a file called hiberfile.sys will be written to the root of the system drive. This file contains a compressed but complete memory dump of the entire system at the time of hibernation. To access it as a standard memory dump, you have to convert it first; the Volatility Framework and other software tools such as those provided by MoonSols can help you do this. Make sure that you match up the version of Windows and type (32-bit or 64-bit) to ensure that the tool you are using supports the hiberfile.sys file you are trying to convert. Once the file is converted, you can load it into any of the memory analysis tools mentioned in this chapter.
image Tip
This book focuses on postmortem forensics, but that does not mean that you shouldn’t learn more about live forensics. If reading this chapter has whetted your appetite to learn more about live forensics, check out Incident Response and Computer Forensics, Second Edition (McGraw-Hill, 2003). You’ll also find a growing number of books, web sites, and blogs, such as the SANS blog mentioned in Chapter 2, dealing with the subject. SANS forensic courses also highlight these topics.
We’ve Covered
Advantages and risks of live forensics
 
image   Live forensic makes it possible to capture the information stored in memory.
image   You have to manage the risks that come with live forensics.
image   You learned how to decide when to use live forensics.
When live forensics is the best option
 
image   Use live forensics in incident response.
image   Analyze malware using live forensics.
image   Deal with encrypted systems and live imaging.
Tools for live forensics
 
image   Capture system RAM with live forensics.
image   Manage the capturing of RAM in different operating systems.
image   Create forensic images of live systems.
Advantages and risks of postmortem forensics
 
image   Postmortem forensic imaging is low risk.
image   You can perform log and attacker toolkit recovery with postmortem forensics.
image   You can understand an attacker’s past actions with postmortem forensics.
Postmortem memory analysis
 
image   You learned how to get access to the past states of memory in postmortem forensics.
image   You learned how to identify Windows and Linux memory dump locations and names.
image   You learned about getting access to RAM dumps made from suspending a running system.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.93.12