Saturday, March 27, 2010

Windows Memory Analysis - EnScript

I recently tried an EnCase EnScript called "Memory Forensic Toolkit". The tool is used as any EnScript is used, and uses the processes run in Volatility however, within the Windows EnCase environment. The download has three distinct directories for the various Windows OS versions it supports (XP, Win7 and Server2003). From some basic testing, so far the EnScripts (13 or so for each OS Version) have worked as anticipated. My tests using the EnScripts with Vista - not so good (although it does not claim to support Vista). Newest version 1.69 was just released today.

The site is in primarily Japanese CCI: Computer Crime Investigation and appears to be run by Takahiro Haruyama.

Next up...comparing the EnScript results with those produced by running Volatility.

Friday, March 26, 2010

SIFT v2.0

I have been taking SIFT 2.0 for a test drive over the week and notice that the official release has been posted to the SANS Computer Forensics website. The amount of information on this release is incredible. It is quite apparent that Rob Lee has spent considerable time and thought in this update. You will need an account with SANS to be able to download.

There is also a detailed SIFT Tool Listing (download link). The document is very detailed and for those who may be new to SIFT VM appliance, the first few pages may help you get started. An example of the robustness - Volatility has over 50 plug-ins, many programs for Timeline Analysis, artifact and Registry analysis, Data Carving...and the list goes on.

What are you telling your investigators/officers?

We had some discussion over the last few weeks about the ability (or inability) of non-forensically trained investigators to assist in the collection of digital evidence at crime scenes.

As we see the field of forensics adopting a stronger move towards live acquisitions (including RAM, certain (un)scripted processes and eventually the hard drive), we are wondering what we should be tasking our investigators to do. Our unir simply cannot assist at every scene. Too many cases and far too wide a geographical area. Is pulling the plug in these circumstances still acceptable? Should we be moving to a "Cofee-type" procedure where little training is required. One significant challenge is the numerous different areas in which our officers must acquire and maintain skills (in traditional policing areas). Can we really expect them to rise to a new level??

Any comments or suggestions would be welcome.

Wednesday, March 17, 2010

Knew it was going to happen....

It finally happened. Those "old school" forensic practices caught some colleagues while seizing a Dell laptop. The old practice of pulling the plug led to the drive being inaccessible when they returned to the lab due to a bios password being present. The actual hard drive was removed but various imaging techniques did not work. That being said, RAM had been imaged and a password was located in RAM (for an email account). Luckily the password was the same and we were able to access the drive.

One more reason to hasten our move to 100% live imaging at the scene; grabbing both the RAM and the drive. One more reason to get F-Response for everyone in the office!

FYI...once we had the password, we booted the laptop (with hard drive enclosed) using Helix Pro. Using Helix, we imaged the drive to a RW-mounted wiped external USB drive. Worked like a charm.

Good guys 1 - Bad guys 0 (but just barely).