Initial Forensic Examinations on Windows

Posted on 2006-05-10
Last Modified: 2010-04-11
Our workstations and servers are hardened to fairly high standards.  No one can remotely connect to the registry, the MMC console, hidden shares are gone, etc. etc. etc.  I've been looking at FIRST standards and they want several steps for forensically examining a station that can not be collected if we are collecting information from a standard user account that may happen to be logged in.  The registry is a good example.  My forensic CD can collect DOS history, currently logged in users etc., but our hardening standards block a great deal.  In performing the data collection from the local workstation, would anyone ever log out of the user that is logged in, log in as (a local) administrator just to run a tool that will allow further data collection?  I fully recognize that this is dangerous.  If someone hacks the computer, they hack in at the level of the person logged in.  Part of me says don't do this, but the liturature is nebulous on the topic.  Part of me says wait to work with a working copy (a forensic duplicate) once the station is shut down, but I wanted to get the opinion of someone who is more experienced than I in this arena.
Question by:awakenings

    Author Comment

    Another related question is would you ever install Antivirus, Spyware, or any other software to collect information.  It seems like it may be helpful to even install ethereal on the host to see what information is being sent out.  What is your opinion?
    LVL 5

    Assisted Solution

    Hi awakenings

    As you alluded to in your post the first thing to do in any investigation is preserve the current state of the machine.

    I believe there are tools around that can take a copy of current in memory processes etc prior to shutting the system down.

    I could be wrong but I also think it is best practice to remove power and cause an immediate shutdown rather than performing a graceful shutdown - this reduced the chances of anything malicious from tidying up after itself and removing files etc during the shutdown process.

    One important thing to remember if the investigation may lead to disciplinary or legal proceedings details such as documenting the chain of custody, documenting any and all activities undertaken with the hardware etc must all be kept.

    When copying the hard drives ensure some form of device is used that only allows data flow in one direction so it can be demonstrated that the original has not been tampered with.

    Once you have a copy - make copies of this as required and investigate away - again worth documenting any steps you take so that the defence can reproduce these steps.
    Keep the original somewhere such as a safe.

    2nd point - if you want to see what’s leaving the host prior to shutting it down (as long as you are sure a process isn't running that is removing evidence then sniff the outside of the NIC - do not install anything on the machine in question - otherwise it could be argued that the evidence was no longer safe.

    Remember -
    chain of custody
    maintain an unchanged original copy.

    This is by no means an exhaustive list, just some thoughts.



    Author Comment


        Thanks.  A large portion of the process is very clear.  I am familiar with the chain of custody, using working copies and not originals, evidence custodians, etc.  Yes.  You are correct on the pull the power aspect once you have collected the live data.  My question is in regards to collecting the live data.  I do have tools to collect RAM information, DOS history, etc. etc.  What I am wondering is if I should log into a computer as a local administrator in order to collect more live evidence from the computer.  Any thoughts?

        Thanks on the second point.  I was not sure as I have seen so many applications for installation.  It appears to me after your statement that you can install, but the installation should occur ONLY on a working copy.


    Author Comment

    Oh... On the second point, what about running applications like process explorer from a CDROM to collect more information?
    LVL 5

    Accepted Solution

    From what I have been told I would advise against logging in as a different user before taking an image of the drive.  This is of course merely an opinion based on ensuring preservation of evidence.  

    We had a course recently and this was one of the main things that was repeatedly banged home I think from the point of view that if you have a guaranteed unchanged copy of the data it is very hard to refute what is found while the defence will always be looking for ways to cast doubt and suggest the investigation changed the data.

    On the converse I can completely see your point of wanting to try and get as much 'live' data as possible.

    Personally I would suggest being very careful of doing anything to the live system prior to imaging it, but situation vary depending on what is being investigated and what the user is suspected of doing so this is an area where a certain amount of judgement may be required.

    Second point - completely - once you have copies and the original is somewhere safe you can use whatever tools are necessary - as long as the steps are reproducible.

    That sounds like an interesting idea, again depending on circumstances - if the user was unaware that they were being investigated then it is probably safer to use tools to look at running processes etc, but if they were aware of the situation they could have kicked off something like eraser in the background to delete incriminating files so the long the machine was left on the less evidence would be left.

    LVL 24

    Assisted Solution

    > would you ever install Antivirus, Spyware, or any other software to collect information

    No. While they are ok enough (some) to run as a forensic tool, that is for after-the-fact, not before.

    OTOH, a good personal firewall could be a good collector, if installed, bidirectional, and logs are kept

    > from a CDROM to collect more information?

    Yes. The CD cannot be hacked.

    Also, use a CD as the place to store the logs to use when auditing for any reason, including forensics

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
    Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    755 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now