Thanks Jeff, I think the best solutions for investigating without downing the system that I've heard so far are: 1] Mirror disks if you have them - Just pull out and put in another machine to examine 2] Encase - expensive but can do the job 3] Win32 binaries of Sleuthkit - don't have to down the system but need to copy over files which is annoying It would be nice to be able to reboot into linux but the fact servers exist to perform a buisness function and unless I can prove from the volatile data that the machine is definitely comprimised there is no way in hell that anyone would let me down them. Its where buisness reality and forensic best practices unfortunately have to clash. Thanks everyone for all your comments, sakaba -----Original Message----- From: Reava, Jeffrey [IT/0200] [mailto:jeffrey.reavaat_private] Sent: Tuesday, August 12, 2003 5:49 AM To: 'Sakaba'; forensicsat_private Subject: RE: Using dd.exe to make forensic images of NTFS drives Sending an image out using dd and netcat may effectively make the system unusable from a production standpoint while the image is being transferred, and the malware will be running the whole time you're imaging and analyzing. Win32 binaries of Sleuthkit utilities (www.sleuthkit.org) work on system partitions (almost) as well as on image files. They'll give you more information than the usual volatile sources without having to wait for an image to complete. You can check every binary and copy off those that are suspicious, and use prebuilt hash sets/config files to make sure that you're only sending off the types of files that are relevant to the examination. It'll still spike your processor & disk utilization, but it should give enough information to decide between leaving the system up or taking it down for proper imaging. Jeff -----Original Message----- From: Sakaba [mailto:sakabaat_private] Sent: Monday, August 11, 2003 4:53 AM To: forensicsat_private Subject: Re: Using dd.exe to make forensic images of NTFS drives Hi everyone, Thanks for your responses. I've tested with bootable linux (FIRE, Knoppix STD) and using the dd command works fine. Its just using dd.exe while live on windows. Some of you asked why I would want to do that. The reason is taking down servers to do investigations is not something we want to do unless we have a lot of evidence that it is life or death to begin with. You don't know this purely from examining the volatile data sources. I want the capability to take live images of windows machines without having to reboot them and without having to use thier binaries. The FIRE cd's forensic shell can be started simply by inserting the CD and pressing the button off autorun. It uses its own binaries and other than the minor changes from inserting the CD doesn't make changes that I would care about. I just wished it worked. Does anyone know of a tried and tested method of taking a live image off a running windows machine without taking it offline or rebooting to linux cd or anything else that would disrupt operations. Thanks, Sakaba --------------------------------------------------------------------------- - ---- Get your free 15 Mb POP3 email @alexandria.cc Click here -> http://www.alexandria.cc/ ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com This communication is intended solely for the use of the addressee and may contain information that is legally privileged, confidential or exempt from disclosure. If you are not the intended recipient, please note that any dissemination, distribution, or copying of this communication is strictly prohibited. Anyone who receives this message in error should notify the sender immediately and delete it from his or her computer. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 07:07:53 PDT