Overview
In addition to CIRCL TR-22 - Recommendations for Readiness to Handle Computer Security Incidents, TR-30 provides a list of evidence acquisition support tools which can be used by Local Incident Response Teams (LIRT). The tools can be used in order to gather forensic evidences from Microsoft Windows systems including memory, registry or other evidences.
We recommend to acquire evidences on the running systems, especially memory and registry evidences. In case of encrypted disks or hardware RAIDs, we recommend to do live disk acquisition before the shutdown of the system. If the system is not encrypted, we recommend an off-line disk acquisition, if possible with a write-blocker device. In order to test if a disk is encrypted, the EDD tool mentioned below can help you.
Be prepared
We advice to have at least one, better several USB sticks prepared on stock. In case of an incident response you just have to fetch one of the sticks and you are ready to start.
The USB stick should fulfill some essential requirements. To save time, It should at least be USB 3.0. You have to capture several GByte of data and need to work fast. It would be a pain to wait endless for the data transfer.
The USB stick need to provide enough space to store all the tools listed in this report, one or even more memory dumps and sometimes even some live acquisition data like system registry, event logs, prefetch files and alike.
The file system needs to support large files. A FAT file system sounds like a good choice but the FAT32 only supports file up to 4 GByte. This is not enough for a memory dump this days anymore. The exFAT file system supports large files and is supported by most computers. This is the file system of our choice.
This are the steps to prepare the USB stick: 1. Wipe the device. 2. Download all the tools mentioned below. 3. Verify integrity of the downloads. 4. Unpack the tools onto the USB stick into a sub-folder 5. Create an image of the USB stick.
With an image available it’s much more quick to prepare the stick for the next incident.
Memory Acquisition: DumpIt
A quick and easy command line tool to acquire a raw memory dump of several Microsoft Windows versions. DumpIt is part of Comae-Toolkit and support several architectures like ARM64, x64 and x86.
Comae-Toolkit is free for personal usage but a registration is required.
Version: Comae-Toolkit-3.0.20201127 (by today 2020.12.16)
Download: Comae-Toolkit
MD5: 056cb0d48b140ab9f31de2c083cf0cc7
SHA1: df0e34e56670fcf03bec4641d3b025eb3e6c70e3
Usage:
cd Z:\comae\x86\
DumpIt.exe /OUTPUT memory_20201215_1138.bin
-- Press y to write the memory dump into the working directory
Memory and Live Acquisition: FTK Imager Lite
FTK Imager Lite is a GUI-based software to acquire physical disk images.
On running Windows systems it also supports the acquisition of memory and logical system images including registry, event logs and alike.
FTK Imager Lite is free but a registration is required.
Version: FTK Imager Lite 3.1.1 (by today 2020.12.16)
Download: FTK Imager Lite
MD5: 4de49f1fdbb27a293d04e8569abc2640
SHA1: 10e4b44420f78f5bf1bbb4360f4b124d074c9fe6
Usage: GUI based
Encrypted Disk Detector: EDD
To capture a physical disk image, you have to shut down the computer or reboot from an external drive.
If the disk is protected by full disk encryption and you don’t have access to the passphrase, you will end up with no data to be analyzed.
EDD (Encrypted Disk Detector) is a command line tool to check for encrypted volumes (TrueCrypt, PGP, Bitlocker and others). But encrypted containers stored as files on the file-system won’t be detected.
EDD is free but a registration is required.
Version: EDD v3.0.1 (by today 2020.12.16)
Download: EDDv301
MD5: 8984973bb318d5cb40b72bac9425d571
SHA1: 2597cfc0f012c043952635c49682d6b435a4e56c
Usage:
cd d:\EDDv301\\
EDDv301.exe /accepteula
Sysinternals Suite
Sysinternals Suite is a collection of native Microsoft tool which are very useful when performing ‘Live Analysis’. The entire set of Sysinternals tools are collected in a single archive.
All Sysinternals tools are free.
Version: November 04, 2020 (by today 2020.12.16)
Download: Sysinternals Suite
MD5: 3bc9e27950d0f3ab29a7fb474e4daaa1
SHA1: 60277a0e85e70aaa6088dafb10a110fad6ba745e
Usage: Sysinternals Suite
Security Scanner: Nmap
Nmap started as the most popular port scanner. In the mean while it’s functionality goes fare beyond. Equipped with a scripting language and additional supporting tools it turned into a real security scanner.
While having a security scanner on board is useful, Nmap comes along with a very useful command line tool ‘ncat’. Ncat is a new developed tool inspired by the legendary NetCat also known the ‘Swiss Army Knife’ networking tool.
Ncat can be used to transport information from the computer to be analyzed, over the network to your own workstation. There is a command line version of Nmap for Windows which is free.
Version: Nmap 7.91 (by today 2020.12.16)
Download: Nmap
MS5: a8eedc0e7234ade22451ffc7e4047db6
SHA1: 462bfb0f7a7880fbdc05987994a65fc44d716654
Usage: Open a NetCat listener on your workstation on port 9999:
nc -k -l 9999 >> analysis_20201216_1509.txt
Extracting live data from the suspicious PC to IP address 192.168.1.2:
echo "Date and Time" | ncat.exe 192.168.1.2 9999
date /t | ncat.exe 192.168.1.2 9999
time /t | ncat.exe 192.168.1.2 9999
echo "--------------------" | ncat.exe 192.168.1.2 9999
Contact
If you open an incident ticket and need more support regarding the forensic acquisition, feel free to contact us.
Classification of this document
TLP:WHITE information may be distributed without restriction, subject to copyright controls.
Revision
- Version 1.1 - TLP:WHITE - December 16, 2020
- Version 1.0 - TLP:WHITE - First version (included in the CIRCL incident response USB key)