Live System Forensics

:hello:

I was just wondering what kind of tools/resources people use for live forensics? I know and use a lot of tools from sysinternals.com for malware analysis, I was wondering if anyone else knew of some powerful, reputable tools that can be used, as well as documents / resources on the process specifically.

Malware by Ed Skoudis goes over it a lot, I would like to hear about what people have to say about VMware and the forensic process. Does VMware allow you view action on the target OS, like files being opened, written to, processes, network activity, and the like? Or do you still have to bring in seperate software and install it?

Thanks in advance.

Hi,

http://digilander.libero.it/zancart

The product is called WinSonar. It monitors for unknown background processes and has a variety of tools.

Be careful with its autoprotection though................it wont even let you into task manager :cool: Not a problem because it detects internet connections and asks if you want to block unknown processes.................if you are using it as a forensics tool just say "no"

It prompts you when it detects an unknown process and lets you add it to a list of "good guys" so you can tune it rather like a firewall.

It protects itself against getting switched off. I use WinPatrol from BillP Studios, which gets round the task manager problem. WinSonar still gives a pop-up asking if you really want to close it.

I have actually used it to resolve a couple of really frustrating memory leak problems ;) not quite what it is intended for but I judge a tool by what it does, not what it says in the manual.

Cheers

PS Don't forget that SpyBot has some useful tools if you run it in advanced mode

http://www.foolmoon.net/security/wft/

Windows Forensics toolchest

http://e-fense.com/helix
I can't say enough about this yet..

Those are just a couple...

If you want a pretty comprehensive list of tools go to http://e-evidence.info . The site isn't the best looking one in the world..but who cares..it has more information than anywhere else.


As for VMware and the forensic process, I wouldn't bother. The only thing I use VMware for is hacking away at viruses and finding out their behavioral patterns. For that I use a number of freebie tools and some not so freebie tools(IDA pro). I typically get a disk containing an image of a compromised machine and I do a few things with it.
1) make 2 backup images
2) if it's been ghosted I will load it in vmware because I find it easier to identify malware from a live system than it is going through MAC times.
3) work off the backup images on my forensic station & vmware (but I typically have to crack a password or two)

To directly answer your question about what you can see...You can see everything.

Depending on what the machine was used for..I don't bother with vmware.

HTH
-hog

I wanted to post a quick note to anyone reading this post to let you know a new version of WFT was posted to my website (http://www.foolmoon.net/security/) as of last night. It has a number of new more powerful features over the previous version.

Monty McDougal (the author of WFT)

Live forensics is a bad idea. It is too low assurance to make it worth the effort. The problem is that the attcker (malware, rootkit, whatever) can use the security policy against the investigator. This means you'll need to do forensics again with the security policy disabled, so you'd might as well just start there.

cheers,

catch

Quote:

---

Live forensics is a bad idea. It is too low assurance to make it worth the effort. The problem is that the attcker (malware, rootkit, whatever) can use the security policy against the investigator. This means you'll need to do forensics again with the security policy disabled, so you'd might as well just start there.

---

I think that is an oversimplification/generalisation. It all depends on the forensic analysis you are carrying out.

If you are just investigating malware then it is highly unlikely that it will be using the security policy against the investigator. Most malware relies on an inadequate security policy in the first instance. In those circumstances live forensics have their uses. Sure you can release it on an unprotected machine to see what it does, but part of the exercise might also to be to determine how your policies/defences were circumvented.

Now, in the case of a cognoscient attack it is a different situation.

The reason I make this distinction is that the previous posts appear to be more focussed on malware/viruses rather than hacking. In other words, a relatively low technology and probably automated enemy.
:)

Monty (FoolMoon),

I was going to start a new thread pointing members of this site to your updated software as well as the other utilities you have written.. You have disapointed me by SPAMMING this forum.. How many more threads are you going to dredge up here and on other boards to promote your product? IF you software is good your subscription list alone would have popped threads on boards around and about, and it would have been far more effective for your products than this SPAMMING.
I trust the other boards treat you more kindly.

und3rtak3r

Quote:

---

It all depends on the forensic analysis you are carrying out.

---

And how do you know what you are looking for with any certainty without carrying out forensics?

That aside, if a system is acting unpredictably... it needs to be isolated and analyzed, even the discovery of simple malware may not be the full extent of the problem. Leaving this system connected is likely unacceptably dangerous.

cheers,

catch

Glenn (aka und3rtak3r),

Sorry if I have somehow offended you by posting a grand total of 5 messages about WFT to a few of the sites that I get visitors from. Please delete my mail, WFT, and your entire hard drive if you like since it is now obviously tainted with my “SPAM”. I posted to let a few people know (who might actually be interested) that I released an update to a program I have literally spent hundreds of hours developing (and then gave away for free). Obviously this effort has been wasted on you. And yes, I hope I am treated better on the other boards. It is crap like this that makes good people stop making useful tools.

Have a nice day. You have spoilt mine.

Monty

Quote:

---

And how do you know what you are looking for with any certainty without carrying out forensics?

---

Experience. The first question is always "hardware, software, malware, hacker?" A lot of malware is not very sophisticated in that it loads strange files, runs strange processes, tries to send mail, tries to connect to the internet, tries to edit the registry etc.

That sort of stuff is generally pretty susceptible to forensic tools.

Anyway you know what you are looking for..............the cause of whatever symptoms have made you look at the box in the first place.

:)