Return to the lecture notes index
Tuesday, February 22, 2011 (Lecture 12)

Living, Breathing, Fleeting, and Changing

At one point in time, I'm sure most forensics involving a computer involved poking and prodding a live system. But, well, then that whole evidence preservation thing got in the way of that gig. It is, you know, nice to have evidence that can be presented later, never mind re-examined and verified. For a time, the mantra was "pull the plug" (or, structured shutdown shutdown). And, there is still a lot of good in that approach. But, -sometimes- a dynamic analysis of a running system can be important. It depends on the case.

If, in planning for a case, the primary goal is to seize long-standing records, there is probably little value in capturing the current activity on a system. In this type of case, it might make sense to "pull the plug" (or structured shutdown). If, however, the plan is to "kick down the doors" and catch someone in the act, whether in law enforcement or corporate incident response, the goal might well be to understand and evidence the user's current activity. This is important in some "hacking" cases as well as many Internet and Internet-originating sex crimes.

If we are interested in the current activity on the system, we now have to balance the interests. "Pulling the plug" will likely lose nearly 100% of the volatile evidence, such as that in the computer's RAM. However, examining a process's volatile memory invariably destroys loses some other evidence, such as that which may be stored in a disk's unallocated or slack space.

The proper decision is based on an understanding of the elements of the case, the planned circumstances of the seizure of the evidence, and the actual circumstances of the seizure. The goal should always be to preserve as much evidence, volatile and persistent, as possible, with specific attention to the types of artifacts that are most likely to answer the essential questions about the elements of the matter at hand.

Note: In many jurisdictions, it is unlawful for a private forensics expert to take part in the acquisition of evidence. In these jurisdictions, the acquisition of evidence is the exclusive domain of licensed private investigators or firms. To be clear, I am not discussing law enforcement officers. And, I am not discussioning corporate incident response persons examining their company's own assets. I am talking about acquiring evidence in someone else's custody.

So, if you are given a drive, you can analyze it and offer opinions of the artifacts it contains. But, you cannot go, search for, and find the drive yourself. Furthermore, in many jurisdictions, the live analysis of systems, including vulnerability analysis, port mapping, etc, as part of an investigation is also the exclusive domain of licensed private investigators.

This sucks. But, in most jurisdictions, you can partner with a licensed person or firm. And, in many cases, the evidence will be given to you by your client or by the other side through discovery. I am not an attorney. I am not a licensed investigator. Contact an attorney licensed to practice in the jurisdiction, and competent in this area of law, for proper advice.

Quick and Dirty

Perhaps the most common way of capturing volatile evidence is with a camera. Take photos of the screen as it is. Scroll through any open screens and photograph them. Open the Task manager and photograph the screens. Then, maximize each minimized application, and repeat. Be sure to scroll through and photograph each screen. Don't forget to capture system state, such as CPU load and network activity, mapped drives, and started services, etc. And, of course, don't open any applications that aren't running. They can be analyzed after the system is imaged just as easily -- with a lower risk.

Use a digital camera with an LCD, so you can verify the photos as you go (or, gulp, and old school polaroid???). Back them up as soon as you can. Ensure that the time and date stamp is set correctly on your camera before you start. It isn't necessary to have the stamp on the image, as it will be in the file's metadata. Know your equipment, check all of the settings, the meta data, etc, in advance.

Tools of the Trade

There are many tools that can be used to acquire images. They come in all types:

Volatility Framework

The Volatility Framework is probably the most important tool right now for Windows memory analysis. It provides tools for aquiring several different types of memory and process images, and a framework for plugging in tools to analyze them. Many tools are available, open source, and otherwise.

It is important because of its existing capabilities, because of the ability for it to grow as new tools are developed -- and because it provides a great framework for research and community involvement. Future offerings of this course are likely to write Volatility plug-ins. (Sorry, guys -- but thanks for piloting version 0!)

Please look at this and become familiar with its capabilities. Look at the "Examplar data" provided -- and try it. Really. Try it. Do it.

Virtual Machines

Virtual machines are important for forensics -- and for many other reasons. As we move in the direction of utility computing, some computing will be using applications, in effect, running independently "in the cloud" without a meaninful system contect, and others will run as part of traditional, but virtualized systems hosted in the cloud.

Right now, many investigators use virtual machiens to study the dynamic behavior of a system. We back up the image file, load it into a VM. And, from there, we go. We can "reset" by starting with the original image file as often as is convenient. This allows for repeated destructive analysis.

In any case, it is important to note that VMs can be suspended. And, when they are suspended, they write their volatile storage to files on disk. Ta-da. We've now got a file with a copy of persistent memory to analyze. It is like hibernation -- but better, becuase the bits aren't written to the virtualized file system. They are written to the irrelevant laboratory host file system.

Warning to all Readers

These are unrefined notes. They are not published documents. They are not citable. They should not be relied upon for forensics practice. They do not define any legal process or strategy, standard of care, evidentiary standard, or process for conducting investigations or analysis. Instead, they are designed for, and serve, a single purpose, to help students to jog their memory of classroom discussions and assist them in thinking critically about the issues presented. The author is certainly not an attorney and is absolutely not giving any legal advice.