The days of performing only traditional dead forensics on a host after a security incident are over.
A shift to live forensics and incident response investigations is underway, with a round of new tools focused specifically on collecting volatile data and memory analysis, and forensics experts demonstrating new ways to leverage these tools to fight malware and cybercrime at the recent SANS WhatWorks in Forensics and Incident Response Summit.
One attendee of the SANS summit this month, which was hosted by Rob Lee, a consultant with Mandiant and faculty member of SANS, blogged that a major take away from the conference was pulling the plug on Pull the Plug.
Pull the Plug refers to the old theory that the best way to preserve digital evidence on a suspect computer system was to pull the power plug from the back of the computer. This was typically the process that law enforcement officers and others followed, and generally accepted as standard procedure, even though many forensic investigators and researchers knew that a large amount of volatile got data lost when pulling the power. Volatile data present only in physical memory could contain IP addresses, URLs, email addresses, passwords, and other information that could be important to an investigation -- but was often lost forever.
The traditional argument against performing any incident-response techniques and forensic analysis on a running system is that it could destroy evidence. Although that can happen, this mindset is shifting because more data could be lost forever if the volatile data (physical memory) is not collected from a live system. The key is that the first responder understands the impact the collection tools he or she is using have on the system in question. That way, he or she can collect the information effectively and be able to explain it in court.
Three or more years ago, even if a first responder or forensic investigator created an image (forensic copy) of memory, the best they could do to analyze the memory image was to extract the readable text from it and look for clues. In 2005, the first of several publicly available tools emerged that extracted detailed information about network connections, running processes, and even processes that had ended from physical memory images of Windows machines. Since then, more Windows memory acquisition and analysis tools have been released and upgraded to help investigators access this valuable forensic data.
In the last six months, three new Windows physical memory acquisition tools were released that enhanced the ability of investigators to collect memory from Windows Vista and Windows Server 2003 machines. Several new plug-ins for the Volatility Framework -- a Python-based toolkit for extracting information from Windows memory images -- have been released as well, including two from Jesse Kornblum to recover TrueCrypt passwords and the command line used in suspicious processes.
F-Response, a new forensic tool that enables first responders and investigators to mount storage devices on remote Windows systems read-only, released a beta version last week that allows remote, read-only access to the physical memory on live Windows systems. Leveraging the power of F-Response and the Volatility Framework, Aaron Walters from Volatile Systems announced at the SANS Digital Forensics Summit a new enterprise incident response product, Voltage, that can continuously monitor the runtime state of systems, automatically capture portions of memory, and search for advanced persistent threats.
Collecting typical volatile data such as network connections, running processes, and open files is important, but thats only part of the reason that these new tools have been developed. Another key goal of these tools is to address todays malware threats and hacking tools.
When attackers and malware inject malicious code into running processes, the only evidence of the attack is in memory, and it rarely gets cached to the hard drive where disk-based tools could possibly detect it. At the SANS Summit, Aaron Walters described attacks where the intruder injected one-time use URLs into Web server processes. (See Richard Bejtlich's "Thoughts on 2008 SANS Forensics and IR Summit.") These attacks are completely invisible, for example, to an investigator only looking at files on the hard drive searching for the cause of Web page redirect to a competitor's site. Or, the investigator may think an attack was not successful because a malicious page stored on the hard drive isn't linked to a publicly accessible page.
Current threats and the realization that valuable evidence is being lost through traditional forensic methods is making live incident response and forensics a more acceptable and commonplace practice today. Live forensic analysis also can help determine if computer systems should be taken offline for deeper analysis. More importantly, it can allow for live acquisition of a running systems hard drive if the business decision is made that downtime could lead to irreparable damage to the company as a whole. Either way, its time for organizations that are relying solely on dead forensics to re-evaluate their incident response and digital forensic practices and see how live forensic analysis can help.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.