How To Acquire
"Locked" Files From a
Running Windows
System
Pär Österberg Medina
Introduction
►Agenda
■
■
■
■
Introduction
Live system data acquisition
Obstacles
Solutions
Copyright © 2012,
McAfee, Inc.
www.foundstone.com
Who am I?
►Pär Österberg Medina
■
■
■
■
Have worked with IT-security over 15 years
Background in Ethical Hacking
Started and worked 8 years for the Swedish CERT
McAfee and Foundstone Professional Services
Copyright © 2012,
McAfee, Inc.
www.foundstone.com
Live system data acquisition
► Live system data acquisition
■ Data is collected from a running system

System state is altered
■ Data is analyzed offline on a trusted system
► Live system forensic
■ Data is analyzed on the system that is being investigated
 System state is altered even more
■ Can we trust the system we are investigating?
Copyright © 2012,
McAfee, Inc.
www.foundstone.com
Type of data to acquire
► Volatile data – will not survive without power
■
■
■
■
Registers, cache
Network status
Process information
Main memory (RAM)
► Non-volatile data – stored on long time storage
media
■ Traditionally acquired from a powered down system


Rebooting the system - data acquired using the same hardware
Removing the hard drives - data acquired using other hardware
Copyright © 2012,
McAfee, Inc.
www.foundstone.com
Non-volatile data of interest
► Pagefile.sys
► NTFS file system meta data




$Mft
$MftMirr
$LogFile
…
► Windows Registry Hives
► Handles that resolves to file objects

Running programs, Drivers that are loaded, open files etc.
► Log files
► Binaries that are started at boot time
Copyright © 2012,
McAfee, Inc.
www.foundstone.com
Why include non volatile data from our
live system data acquisition?
► Indication of a system compromise is not that high
■ Be sure before the machine is powered off and the disk is
imaged
► The system cannot be turned off
■ Business critical and/or production systems
► The compromise is still taking place
■ Attacker is still on the system
Copyright © 2012,
McAfee, Inc.
www.foundstone.com
Obstacles
► Files are not visible in the file system
► Windows prevent us from acquiring them
Copyright © 2012,
McAfee, Inc.
www.foundstone.com
Requirement
► Same method for acquiring files should be used
regardless of Windows NT version
► Files should be acquired using a CLI for minimal
system impact
► The acquisition process should be scriptable
Copyright © 2012,
McAfee, Inc.
www.foundstone.com
Solution
► Use Win32 Device Namespaces to access the file
► List all the allocated clusters of the file we want
► Copy the file by carving out the clusters
Copyright © 2012,
McAfee, Inc.
www.foundstone.com
Win32 Device Namespaces
► Win32 Device Namespaces
■ The "\\.\" prefix will access the Win32 device namespace
instead of the Win32 file namespace. This is how access to
physical disks and volumes is accomplished directly, without
going through the file system, if the API supports this type of
access. You can access many devices other than disks this
way (using the CreateFile and DefineDosDevice functions,
for example).
 http://msdn.microsoft.com/enus/library/windows/desktop/aa365247(v=vs.85).aspx
Copyright © 2012,
McAfee, Inc.
www.foundstone.com
How to manually list allocated clusters
► nfi
■ Included in the OEM Support Tools for NT 4.0 and Windows
2000
http://support.microsoft.com/kb/253066
Copyright © 2012,
McAfee, Inc.
www.foundstone.com
Manually carving out the clusters
► dd
■ FAU (Forensic Acquisition Utilities) by George M. Garner Jr.
GMG Systems, Inc
http://www.gmgsystemsinc.com/fau/
Copyright © 2012,
McAfee, Inc.
www.foundstone.com
Slack space
RAM
Slack
Data
Drive Slack
Cluster
512 byte sector
Copyright © 2012,
McAfee, Inc.
www.foundstone.com
More automated solutions
► ifind & icat
■ Both are available from Brian Carrier's Sleuthkit
http://www.sleuthkit.org/sleuthkit/
Copyright © 2012,
McAfee, Inc.
www.foundstone.com
Automated alternatives
► ntfscopy
■ Written by Jonathan Tomczak from TZWorks LLC
http://tzworks.net
► FGET or Forensic Get
■ Free tool from HBGary, Inc.
http://hbgary.com/free-tools
► ntdd
■ Tool written by Björn Brolin from Truesec
http://www.truesec.com
Copyright © 2012,
McAfee, Inc.
www.foundstone.com
Version specific solutions
► Volume Shadow Copies
■ Introduced in Windows Server 2003
■ VSS monitors a volume for any changes to the data stored
on it and will create backups only containing those changes
Copyright © 2012,
McAfee, Inc.
www.foundstone.com
Conclusion
► By collecting data from a live system we can
■ Concentrate on acquiring relevant data
■ Shrink down both acquisition and analysis time
► The pagefile(s) can be collected adjacent to the
memory dump
■ Important when reconstructing full process memory
Copyright © 2012,
McAfee, Inc.
www.foundstone.com
Questions?
?
Copyright © 2012,
McAfee, Inc.
www.foundstone.com