Initial Forensic Examinations on Windows

Our workstations and servers are hardened to fairly high standards.  No one can remotely connect to the registry, the MMC console, hidden shares are gone, etc. etc. etc.  I've been looking at FIRST standards and they want several steps for forensically examining a station that can not be collected if we are collecting information from a standard user account that may happen to be logged in.  The registry is a good example.  My forensic CD can collect DOS history, currently logged in users etc., but our hardening standards block a great deal.  In performing the data collection from the local workstation, would anyone ever log out of the user that is logged in, log in as (a local) administrator just to run a tool that will allow further data collection?  I fully recognize that this is dangerous.  If someone hacks the computer, they hack in at the level of the person logged in.  Part of me says don't do this, but the liturature is nebulous on the topic.  Part of me says wait to work with a working copy (a forensic duplicate) once the station is shut down, but I wanted to get the opinion of someone who is more experienced than I in this arena.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

awakeningsAuthor Commented:
Another related question is would you ever install Antivirus, Spyware, or any other software to collect information.  It seems like it may be helpful to even install ethereal on the host to see what information is being sent out.  What is your opinion?
Hi awakenings

As you alluded to in your post the first thing to do in any investigation is preserve the current state of the machine.

I believe there are tools around that can take a copy of current in memory processes etc prior to shutting the system down.

I could be wrong but I also think it is best practice to remove power and cause an immediate shutdown rather than performing a graceful shutdown - this reduced the chances of anything malicious from tidying up after itself and removing files etc during the shutdown process.

One important thing to remember if the investigation may lead to disciplinary or legal proceedings details such as documenting the chain of custody, documenting any and all activities undertaken with the hardware etc must all be kept.

When copying the hard drives ensure some form of device is used that only allows data flow in one direction so it can be demonstrated that the original has not been tampered with.

Once you have a copy - make copies of this as required and investigate away - again worth documenting any steps you take so that the defence can reproduce these steps.
Keep the original somewhere such as a safe.

2nd point - if you want to see what’s leaving the host prior to shutting it down (as long as you are sure a process isn't running that is removing evidence then sniff the outside of the NIC - do not install anything on the machine in question - otherwise it could be argued that the evidence was no longer safe.

Remember -
chain of custody
maintain an unchanged original copy.

This is by no means an exhaustive list, just some thoughts.


awakeningsAuthor Commented:

    Thanks.  A large portion of the process is very clear.  I am familiar with the chain of custody, using working copies and not originals, evidence custodians, etc.  Yes.  You are correct on the pull the power aspect once you have collected the live data.  My question is in regards to collecting the live data.  I do have tools to collect RAM information, DOS history, etc. etc.  What I am wondering is if I should log into a computer as a local administrator in order to collect more live evidence from the computer.  Any thoughts?

    Thanks on the second point.  I was not sure as I have seen so many applications for installation.  It appears to me after your statement that you can install, but the installation should occur ONLY on a working copy.

Discover the Answer to Productive IT

Discover app within WatchGuard's Wi-Fi Cloud helps you optimize W-Fi user experience with the most complete set of visibility, troubleshooting, and network health features. Quickly pinpointing network problems will lead to more happy users and most importantly, productive IT.

awakeningsAuthor Commented:
Oh... On the second point, what about running applications like process explorer from a CDROM to collect more information?
From what I have been told I would advise against logging in as a different user before taking an image of the drive.  This is of course merely an opinion based on ensuring preservation of evidence.  

We had a course recently and this was one of the main things that was repeatedly banged home I think from the point of view that if you have a guaranteed unchanged copy of the data it is very hard to refute what is found while the defence will always be looking for ways to cast doubt and suggest the investigation changed the data.

On the converse I can completely see your point of wanting to try and get as much 'live' data as possible.

Personally I would suggest being very careful of doing anything to the live system prior to imaging it, but situation vary depending on what is being investigated and what the user is suspected of doing so this is an area where a certain amount of judgement may be required.

Second point - completely - once you have copies and the original is somewhere safe you can use whatever tools are necessary - as long as the steps are reproducible.

That sounds like an interesting idea, again depending on circumstances - if the user was unaware that they were being investigated then it is probably safer to use tools to look at running processes etc, but if they were aware of the situation they could have kicked off something like eraser in the background to delete incriminating files so the long the machine was left on the less evidence would be left.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
> would you ever install Antivirus, Spyware, or any other software to collect information

No. While they are ok enough (some) to run as a forensic tool, that is for after-the-fact, not before.

OTOH, a good personal firewall could be a good collector, if installed, bidirectional, and logs are kept

> from a CDROM to collect more information?

Yes. The CD cannot be hacked.

Also, use a CD as the place to store the logs to use when auditing for any reason, including forensics
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.