Windows Forensic Analysis

Live Response: Collecting Volatile Data (Windows Forensic Analysis) Part 1

Introduction Investigators today are increasingly facing situations in which the traditional, widely accepted computer forensic methodology of unplugging the power to a computer and then acquiring a bit-stream image of the system hard drive via a write blocker is, simply, not a viable option. For instance, it is becoming more common for investigators to encounter […]

Live Response: Collecting Volatile Data (Windows Forensic Analysis) Part 2

System Time One of the first pieces of information you want to collect when you’re investigating an incident is the system time. This will give a great deal of context to the information collected later in the investigation, and will assist in developing an accurate timeline of events that have occurred on the system. Figure […]

Live Response: Collecting Volatile Data (Windows Forensic Analysis) Part 3

Tasklist Tasklist.exe, a native utility included with Windows XP Pro and Windows 2003 installations (it is noticeably absent from Windows XP Home), is a replacement for tlist.exe. The differences in the two tools are subtle and mostly concern the name and the implementation of the switches. Tasklist.exe does provide options for output formatting, with choices […]

Live Response: Collecting Volatile Data (Windows Forensic Analysis) Part 4

Clipboard Contents The Clipboard is simply an area of memory where data can be stored for later use. Most Windows applications provide this functionality through the Edit option on the menu bar. Clicking Edit reveals a drop-down menu with choices such as Cut, Copy, and Paste. Microsoft Word 2003 includes an Office Clipboard option. The […]

Live Response: Collecting Volatile Data (Windows Forensic Analysis) Part 5

Event Logs Event Logs are essentially files within the file system, but they can change. In fact, depending on how they’re configured and what events are being audited, they can change quite rapidly. Depending on how the audit policies are configured on the "victim" system and how you’re accessing it as the first responder, entries […]

Live Response: Data Analysis (Windows Forensic Analysis) Part 1

Introduction Now that you’ve collected volatile data from a system, the question becomes "How do I ‘hear’ what it has to say?" or "How do I figure out what the data is telling me?" Once you’ve collected a process listing, how do you determine which process, if any, is malware? How do you tell whether […]

Live Response: Data Analysis (Windows Forensic Analysis) Part 2

Agile Analysis Perhaps one of the most often stated reasons for not performing live response at all is an inability to locate the source of the issue in the plethora of data that has been collected. Many of the tools available for collecting volatile (and nonvolatile) data during live response collect a great deal of […]

Windows Memory Analysis (Windows Forensic Analysis) Part 1

Introduction In last topic, we discussed collecting volatile data from a live, running Windows system. From the order of volatility listed in RFC 3227, we saw that one of the first items of volatile data that should be collected during live-response activities is the contents of physical memory, commonly referred to as RAM. Although the […]

Windows Memory Analysis (Windows Forensic Analysis) Part 2

Winen Guidance Software also released its own tool for collecting the contents of physical memory, called winen.exe. Like some of the other tools, winen.exe is a CLI tool, but unlike the other tools, the memory dump is not collected in raw, dd-style format; instead, it is collected in the same proprietary imaging format used by […]

Windows Memory Analysis (Windows Forensic Analysis) Part 3

Alternative Approaches for Dumping Physical Memory The software we’ve discussed so far aren’t the only means by which the contents of physical memory can be dumped from a live system; several alternative methods have been put forth in the past. Some of those methods use native functionality inherent to the operating system (i.e., crash dumps) […]

← Previous Entries