This version has been archived. Find the current version at on the Current Documents page. Archived Version. Capture of Live Systems

Transcription

1 Scientific Working Group on Digital Evidence Capture of Live Systems Disclaimer: As a condition to the use of this document and the information contained therein, the SWGDE requests notification by before or contemporaneous to the introduction of this document, or any portion thereof, as a marked exhibit offered for or moved into evidence in any judicial, administrative, legislative or adjudicatory hearing or other proceeding (including discovery proceedings) in the United States or any Foreign country. Such notification shall include: 1) The formal name of the proceeding, including docket number or similar identifier; 2) the name and location of the body conducting the hearing or proceeding; 3) subsequent to the use of this document in a formal proceeding please notify SWGDE as to its use and outcome; 4) the name, mailing address (if available) and contact information of the party offering or moving the document into evidence. Notifications should be sent to swgde@mail.ucf.edu It is the user s responsibility to ensure they have the most current version of this document. It is recommended that previous versions used be archived for future reference, as needed, in accordance with that agency s policies. Redistribution Policy: SWGDE grants permission for redistribution and use of all publicly posted documents created by SWGDE, provided that the following conditions are met: 1. Redistributions of documents or parts of documents must retain the SWGDE cover page containing the disclaimer. 2. Neither the name of SWGDE nor the names of contributors may be used to endorse or promote products derived from its documents. 3. Any reference or quote from a SWGDE document must include the version number (or create date) of the document and mention if the document is in a draft status. Page 1 of 7

2 Scientific Working Group on Digital Evidence 1. Purpose The purpose of this document is to provide guidance to the forensic community on acquiring data from live computer systems. A primary concern is the ability to capture and save data in a usable format. Factors such as the volatility or volume of data, restrictions imposed by legal authority, or the use of encryption may dictate the need to capture data from systems without interrupting the power cycle. 2. Scope This paper is limited to why an examiner might want to acquire digital data from live computer systems rather than the traditional static-only forensic acquisition. If the system is off, DO NOT TURN IT ON to make a live acquisition. CAUTION Great care must be taken when attempting to capture or acquire data from live systems. These are advanced techniques that require advanced training and tools to accomplish the desired results while minimizing the possible destruction of data or hardware. If the person attempting to acquire the data is unsure of the methods used to perform the acquisition, then professional assistance should be sought. 3. Limitations Careful planning should precede any on-site acquisition. Live acquisition requires additional planning and management of resources. Restrictions mandated by the courts may further complicate the details of these acquisitions. In many cases it is impossible to use typical forensic safe-guards and precautions (e.g., hardware write protection). During a typical static acquisition with safeguards, confusing input and output devices will cause a minor hindrance. Doing the same during a live acquisition could permanently destroy data. Additional equipment that is commonly available at a laboratory may not be available on-site. Tools and processes are considerably slower due to the reduced capacity and throughput of portable equipment. Malicious software, security conscious software and root kits are designed to restrict access to system data, hide information or hinder the collection of data. The structure of the data collected may make it difficult to process. For example, a memory dump from different operating systems will most likely contain data organized in a very different fashion. Page 2 of 7

3 The procedure described in this paper may or may not work on all operating systems, to include Microsoft Vista. 4. Technical Details Almost all processes used to acquire data from a live computer system will change that system in some fashion. Detailed notes are critical and will help document all changes to the data affected during the acquisition. Full system level access may be required in many instances (e.g., administrator or "root" level access). Consultation with a trusted local system administrator may be required. The following methods may be utilized in live acquisitions: RAM dump Acquisition of volatile system information Logical copying of files Live acquisition of the entire system Each of these can be used independently or in conjunction with other methods depending on the scope of the search. 4.1 Random Access Memory (RAM) dump A RAM dump copies data currently residing in the system memory. Recovering this data has several limitations that must be recognized. Ownership and related date and time information is not included and data may not be readable. When attempting to read the data, it may not appear in the same order as originally written and additional steps may be necessary to ensure that the data is in a format useful to the investigator. Data contained in the system s memory may include unsaved documents, recent chat sessions, user passwords, and other similar type information. Recovering data from the system s memory is done by utilizing a system level interface to raw memory tools such as dd or Helix Incident Response Disk with the input file "/dev/mem" or \\.\PhysicalMemory (depending on your operating system). These tools can be run from the system or an external device. Whether run from the system or an external device, portions of the memory will be overwritten. The recovered data can be exported to an external storage device. Careful documentation of this procedure will ensure the integrity of the recovered data. Page 3 of 7

4 4.2 Acquisition of volatile system information The base operating system and running applications in many cases keep volatile data, which is never stored on a physical drive. Additional information that may be obtained through a live acquisition includes: 1. Running processes a snapshot in time of what was running on the machine at the time. 2. Operating System Information - open files, active network ports, network connections including IP information, firewall configuration. 3. Unsaved data data that may not have been written to storage media or cached in RAM. 4. Shared network drives or folders knowledge of and access to data stored on networked drives, permissions. 5. Connected network users other users may have access to the data through a network share or logged into a remote shell. 3.3 Logical acquisition of selected files This procedure is typically used on network systems to copy logical files to removable media. Before accessing files, ownership, security and related date and time information should be captured using tools that preserve this data. Copying can be accomplished through the use of forensic tools or system migration tools. There may be instances where data is successfully recovered although the data becomes useless due to dependencies on system hardware or software. A visual verification of the copied data should be conducted independent of the original source to ensure that no such dependencies exist. Many other considerations may exist depending on the system s hardware and software architecture. Software on a system will access files as it runs. Files in this state can be described as open or locked. In many situations this data is a primary target of the acquisition. Special steps may be required to access this data. For instance when encountering a database or application, typically a tool is available to backup or export all data from that application. In addition to exporting data, it may be beneficial to first logically copy files used by that application. Encrypted data from Encrypted File System (EFS) files, Bitlocker, encrypted disk images, Pretty Good Privacy (PGP), and other encryption software may not be recoverable if the system is shut down. As long as encrypted files, folders or disks are open, they may be in a readable state and acquired through a live acquisition. If the system is turned off, the encrypted files may not be accessible. 3.4 Live Acquisition of Entire System Live acquisition of the entire system would include a ram dump, acquisition of volatile system information, and copying of logical files. Depending on the circumstances, it may be beneficial to image the volume(s) while the system is still running. It is recommended that the acquisition Page 4 of 7

5 be conducted in this order. This should only be attempted if the option of shutting down and imaging the drive is unavailable. Many encrypted systems emulate a storage device (e.g., under Linux a block device similar to that used to access a hard drive). If the system has encrypted file systems mounted or attached, it might be possible to image at the decrypted layer (e.g.,"/dev/loop0" block device under Linux). 4. Benefits There are many benefits to conducting a live acquisition. Additional data is captured that will not be available when conducting a static acquisition. The ability to capture data from a running system allows the system to continue serving its data. While the static acquisition of a system may be desired, the pros and cons of each method must be weighed to conform to the limitations encountered while conducting the search. Page 5 of 7

6 History: SWGDE Live Capture Rev # Issue Date Section History 1 03/06/07 All Document created by Standards and Accreditation Committee. Original Release for Public Comments. Page 6 of 7

7 Errata Sheet Name of Document and # Page # Section Comments 2 3 Begin section with following paragraph: Almost all processes used to acquire data Page 7 of 7