Initial Forensic Examinations on Windows
Posted on 2006-05-10
Our workstations and servers are hardened to fairly high standards. No one can remotely connect to the registry, the MMC console, hidden shares are gone, etc. etc. etc. I've been looking at FIRST standards and they want several steps for forensically examining a station that can not be collected if we are collecting information from a standard user account that may happen to be logged in. The registry is a good example. My forensic CD can collect DOS history, currently logged in users etc., but our hardening standards block a great deal. In performing the data collection from the local workstation, would anyone ever log out of the user that is logged in, log in as (a local) administrator just to run a tool that will allow further data collection? I fully recognize that this is dangerous. If someone hacks the computer, they hack in at the level of the person logged in. Part of me says don't do this, but the liturature is nebulous on the topic. Part of me says wait to work with a working copy (a forensic duplicate) once the station is shut down, but I wanted to get the opinion of someone who is more experienced than I in this arena.