Thursday, December 20, 2012

Turn it off or not?

It has been a "gray" area in forensic acquisitions if we should turn a system off or not.  If we look at certification exam requirements, we have to pull the plug on client OS and turn the system off with OS commands if it is a server. 

In today's computers, we have 4GB or more memory that was the size of a hard drive not too long ago.  In a few years back, if someone said, "I've thrown an 8GB hard drive into the trash since I thought it was not important" would have landed investigators in jail.  We can not make those kind of decisions anymore just because we did it in the past. 

The memory is a wealth of information in malware investigations and dealing with encryption.  This also shown in the new tool "Elcomsoft Forensic Disk Decryptor". http://www.elcomsoft.com/efdd.htm


The documentation mentions how it recovers the master key from live memory or from the hibernation file.

"By analyzing the hibernation file (if the PC being analyzed is turned off);
 By analyzing a memory dump fie
 By performing a FireWire attack (PC being analyzed must be running with encrypted volumes mounted)."

Now, if that is the case, then turning the system off will lose this information and you can wait for weeks, if you're lucky, to crack the password for BitLocker, PGP or TrueCrypt. 

Why not just include into the methodology and certification exam requirements to at least consider the option of capturing the memory before turning the system off.  I like the option of forcing the hibernation file to update and then pull the plug if necessary. 

powercfg.exe -h off
powercfg.exe -h on

This way, you can turn your system off and still have the memory to analyze.

"Drawbacks?"  You might ask.
I believe digital forensics is just like any other science discipline is based on pattern recognition, risk management, and process control.  Therefore, we have to look at any drawbacks in this method.  Since the Hiberfil.sys file will be as large as the physical memory in the system, you will overwrite, 8GB in this case, unallocated space.  Thus, if you plan to data carve for previously deleted files, this might destroy evidence that can be just as much devastating to your case.  So, a light weight memory dump utility ( fau's dd, mdd, or winen ) might be the answer to this dilemma.  The main idea is to consider this option when encryption is suspected or as a standard collection methodology.



No comments:

Post a Comment