Tuesday 18 December 2012

six-step methodology for volatile data collection

Methodology for volatile data collection

Step 1: Incident Response Preparation.
Step 2: Incident Documentation.
Step 3: Policy Verification.
Step 4: Volatile Data Collection Strategy.
Step 5: Volatile Data Collection Setup.
Step 6: Volatile Data Collection Process.
These steps are designed to be used by an investigator to investigate intrusion cases common to larger networks. For purposes of this document, our focus is on Step 6. Steps in the Volatile Data Collection Process Step 6, Volatile Data Collection Process, involves the following five steps:
  1. Collect uptime, date, time, and command history for the security incident.
  2. As you execute each forensic tool or command, generate the date and time to establish an audit trail.
  3.  Begin a command history that will document all forensic collection activities.
  4. Collect all types of volatile system and network information.
  5. End the forensic collection with date, time, and command history.
A Methodology for the Law Enforcement Collection of Digital Evidence from a Running Computer. Some of the currently used tools include Helix, a bootable CD that is a collection of incident response tools, and “dd,” a tool written by George Garner to capture RAM . With the understanding that computer systems contain potential evidence that could be destroyed if traditional computer evidence collection methods are employed, investigators can use the following basic steps when collecting volatile evidence:
  •  Maintain a log of all actions conducted on a running machine.
  • Photograph the screen of the running system to document its state.
  •  Identify the operating system running on the suspect machine.
  •  Note date and time, if shown on screen, and record with the current actual time.
  • Dump the RAM from the system to a removable storage device.
  •  Check the system for the use of whole disk or file encryption.
  • Collect other volatile operating system data and save to a removable storage device.
  • Determine evidence seizure method (of hardware and any additional artifacts on the hard drive that may be determined to be of evidentiary value).
  • Complete a full report documenting all steps and actions taken.
These basic steps allow the on-scene investigator to collect data that was previously overlooked as unnecessary or simply lost out of ignorance. Open source and commercial tools are currently available that easily allow for this methodology to be followed on a running system. The RAM is dumped first to capture the greatest amount of evidence available. It must be noted that inserting any device into the running system (flash drive, removable drive, or CD) will make minor changes to the system, albeit very small changes. The proper use of these tools does not add evidence or contraband to the system. Running a program to dump the RAM requires that a very small amount of RAM be occupied by the tool to conduct the RAM dump. Inserting a removable drive into a USB port adds an entry to the Microsoft Registry. All of these changes have no effect on the overall state of the evidence and can be further documented at a later time by a traditional forensic examination. Some small changes are made during the process of using some of the available tools that require interaction with the Windows operating system. These changes however, occur to the operating system files only and do not fundamentally change the content of the data saved on the system.

  • Step 1: Incident Response Preparation.
  • Step 2: Incident Documentation.
  • Step 3: Policy Verification.
  • Step 4: Volatile Data Collection Strategy.
  • Step 5: Volatile Data Collection Setup.
  • Step 6: Volatile Data Collection Process.
These steps are designed to be used by an investigator to investigate intrusion cases common to larger networks. For purposes of this document, our focus is on Step 6. Steps in the Volatile Data Collection Process Step 6, Volatile Data Collection Process, involves the following five steps:
  1. Collect uptime, date, time, and command history for the security incident.
  2. As you execute each forensic tool or command, generate the date and time to establish an audit trail.
  3. Begin a command history that will document all forensic collection activities.
  4. Collect all types of volatile system and network information.
  5. End the forensic collection with date, time, and command history.
A Methodology for the Law Enforcement Collection of Digital Evidence from a Running Computer. Some of the currently used tools include Helix, a bootable CD that is a collection of incident response tools, and “dd,” a tool written by George Garner to capture RAM . With the understanding that computer systems contain potential evidence that could be destroyed if traditional computer evidence collection methods are employed, investigators can use the following basic steps when collecting volatile evidence:
  1.  Maintain a log of all actions conducted on a running machine.
  2.  Photograph the screen of the running system to document its state.
  3. Identify the operating system running on the suspect machine.
  4. Note date and time, if shown on screen, and record with the current actual time.
  5. Dump the RAM from the system to a removable storage device.
  6. Check the system for the use of whole disk or file encryption.
  7. Collect other volatile operating system data and save to a removable storage device.
  8. 8.   Determine evidence seizure method (of hardware and any additional artifacts on the hard drive that may be determined to be of evidentiary value).
  9. Complete a full report documenting all steps and actions taken.
These basic steps allow the on-scene investigator to collect data that was previously overlooked as unnecessary or simply lost out of ignorance. Open source and commercial tools are currently available that easily allow for this methodology to be followed on a running system. The RAM is dumped first to capture the greatest amount of evidence available. It must be noted that inserting any device into the running system (flash drive, removable drive, or CD) will make minor changes to the system, albeit very small changes. The proper use of these tools does not add evidence or contraband to the system. Running a program to dump the RAM requires that a very small amount of RAM be occupied by the tool to conduct the RAM dump. Inserting a removable drive into a USB port adds an entry to the Microsoft Registry. All of these changes have no effect on the overall state of the evidence and can be further documented at a later time by a traditional forensic examination. Some small changes are made during the process of using some of the available tools that require interaction with the Windows operating system. These changes however, occur to the operating system files only and do not fundamentally change the content of the data saved on the system.

1 comment:

  1. Nice blog post on incident response. Incident response tools can help automate your security. Thanks for sharing

    ReplyDelete