Steps to isolate a compromised PC / server & loading forensic tools/installers into them

https://belkasoft.com/baas/en/steps   :
"...until very recently, this additional evidence was often discarded. Approaching running computers with a “pull-the-plug” attitude used to be a standard practice,.."

Q1:
Link/line above seems to indicate don't plug out a compromised PC or don't power off a compromised PC?

Q2:
if we want to see using sysinternals Tcpview the Network IOCs, I guess we should not even disconnect the network at all??

Q3:
Or still disconnect the compromised PC from network (to stop further re-infections or data being maliciously copied out
or stop call-backs) but don't power it off but just disconnect from network?

Q4:
In our environment, USB ports are all (except a few rare exceptions for business purpose on isolated PCs) disabled using
DLP products (not using registry) : so if we disconnect a compromised PC from LAN, the consoles of the DLP can't be
used to enable back the USB anymore for us to copy forensic tools to the compromised PC.  However, speed is of essence
to disconnect an infected (we have a few ransomware cases) PC from network thus there's no time to use the DLP
consoles to enable the USB.  So how do we still copy the forensic tools into the PCs?  I assume if we use DLP consoles
to access the infected PCs, the DLP console may be at risk or I'm being paranoid?

Q5:
Someone suggested that the forensic tools should always be readily deployed into all PCs & servers to overcome the
issue in Q4 above, ie place a copy in them from the very start.  However, this means we have to often update the
versions of the tools or patch them if there's any.  I would rather have a couple of dedicated forensics laptops with
these installers & use LAN cable (someone suggest LAP cable adaptor to USB) to copy the installers over & the
dedicated laptops are treated as risky & should be wiped out after the whole exercise is over.
sunhuxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
The plug-out policy is intended as emegency action to prevent further damage. Depending on what the suspect process does, this can be necessary, a good idea or not good at all.

Keeping the machine running is better if you want to investigate and collect evidence.

If the compromised PC is given up (nothing to save for later use besides of keeping evidence), it is important to isolate the machine from network, to prevent spreading an infection or doing other harm outside of the machine.
Best to put it on an isolated network, where you can monitor what it does. If that cannot be done, disconnecting from network is necessary.

Of course every action you take on the machine brings a risk with it to remove traces, just like with each site investigation.

Common ways to keep forensic tools are:
Keep an tools USB stick with read-only switch (a rare option), or overwrite the USB stick with a clean image after each forensic session (to make sure no infection can be spread).
Similar can be done with a machine in an isolated network, to do some remote forensics.
If the machine has been switched off, offline forensic applied to the hard disk is available, but as said above that should not be the first action to take.
1
btanExec ConsultantCommented:
1. It depends. The rule is supposed to reduce the damage by cutting out the attacker or malware. But specific to the article, it is saying that by doing that (plug out), there can be evidence lost as they may also resides on the computer’s volatile memory. There are certain information that never ends up on the hard drive, such as ongoing communications in social networks, data on running processes or open network connections.

2./3. If you are referring to connection state of the IP addresses (callback etc), technically you will not be seeing the expected when machine is physically disconnected from any external connection. But if it is not powered down, and you can dump out the live memory, there may still chance to find trace of past connection of the TCPView - assuming you executed it before the unplug.

Actually malware has seen become stealthy and for those at the initial state of infection, and yet to callback to "mothership", it will likely be waiting for a internet connection - not only network connection only. And once gotten connected, it can download the more lethal malware like actual ransomware.

Nonetheless, attacker (esp state sponsor type) is smart too as they understand that organisation may be in a state of internet separation, hence the payload delivered through phishing email or USB gift will be self sufficient to get its infection full blown without the "mothership" to intervene. For those sabotage type like ransomware, it is good enough to cause the damage already. Other type of malware  will move laterally and find means to call back eventually - most of the time, infect other USB drive/ file shares etc and move on to other network ... waiting patiently.

4. Chicken and egg issue. But mostly for the forensic tool in USB, it will be a read only and also write blocker will be in place. Malware will fail its re-infection attempts. The jewels in the live memory esp for ransomware when it would have traces of the private key in the memory. But again,  it is essential to carefully weigh the benefits of memory acquisition against such drawbacks, taking into account that dumping live contents might be the only way to obtain certain types of evidence (besides the ransomware private key,  for example, there are decryption keys used to access to encrypted disk volumes that may contain orders of magnitude more evidence than memory alone).

Regardless if you manage to take a memory dump, continuing with live box analysis may be beneficial if, for example, there is certain information stored on remote servers (or mothership), and a network connection (e.g. a secure VPN connection or an RDP session) is established which may be lost when the computer is plugged off.

Good to consider the official ACPO (UK) Guidelines recommends the following SOP for capturing a memory dump:
  1. Perform a risk assessment of the situation: Is it evidentially required and safe to perform volatile data capture?
  2. If so, install volatile data capture device (e.g. USB Flash Drive, USB hard drive etc.)
  3. Run the volatile data collection script.
  4. Once complete, stop the device (particularly important for USB devices which if removed before proper shutdown can lose information).
  5. Remove the device.
  6. Verify the data output on a separate forensic investigation machine (not the suspect system).
  7. Immediately follow with standard power-off procedure.

5. The agent based remote forensic is ideal but privacy will be a concern. in any case, it is an official machine, make sure the login banner state the machine is subjected to scrutiny and  audit. Employee will have to understand it is official and of course, the biggest piece of the story is the operationalisation and SOP to make sure such power lies and be oversee by the management authority.

You can have the forensic machine but when for live acquisition, you are looking at going lightweight and just dumping as the core work. It is more for offline analysis over the network dealing with the bit-by-bit cloned or replicated HDD or memory device. Time is of essence.

Of course, there can be many ways to "skin a cat". It is all about staying agile in the forensic strategy - be flexible and scalable
- Use of dedicated equipment that is all  in one to do the live acquisition.
- Using cross cable over into machine can be still possible.
- Using agent based approach for Enterprise wide monitoring, detect and response. Augment with offsite checks
- Using specialist at site to address specific important evidence gathering and at times important agenda where machine cannot be simply shut down or be disconnected immediately as it may alert the attacker too..
- Using directly acquire the computer’s operating memory (RAM) by connecting through a FireWire link.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sunhuxAuthor Commented:
Thanks.

That Belkasoft article could mean "plug-out the power cord" instead of plugging out the network connections.

If we want to use a USB stick to run the tools (to collect artefacts/evidences), then a decision needs to be made:
do we allow some time to use our DLP console to enable the USB ports of the affected machines (& I'm not
certain if the DLP console tool itself will be affected for connecting to the affected machines to push policy
down) or the priority is to disconnect from network first (in which case the DLP console cant push down the
amended policy of enabling the USB ports on the affected machines)?
0
sunhuxAuthor Commented:
We currently don't have any policy on the steps to take & their priority/sequence, so I'm required to draft one
0
btanExec ConsultantCommented:
The plug out would meant both too. Regardless once power off, the loss is evident.

Indeed policy to govern this is needed, blend into the incident response framework ad part of the playbook and send out directive on this specific steps.

Anyway, you will need regular workshop to train the responser and also users - the latter is important and neglect them.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Ransomware

From novice to tech pro — start learning today.