Basic Idea of Live Forensics Data Collection on Microsoft Windows System

Computer Forensics deals with analysis after an incident or attack has occurred. The goals of this analysis are assessing the scope of the attack, how did the attack happen, what do we lose, who is the culprit, etcetera. The first thing to do is collecting data for that analysis purpose. There are two types of data for this. The first one is static data where the source computer for the data is turned off. The second one is live data where the source computer for the data can’t be turned off because it runs critical purpose our organization. In this article, I will provide you with simple script for doing this on Microsoft Windows system.

Script File

To run this script, just copy paste above code to a text file named something.bat. Then you can run it on Windows command prompt. You should keep this script on a secured thumb drive so that this script would not be tampered by the remnants of the attack that may still be running on the source computer. Below you will find sample output of the script. You can add more complicated command to collect more data. However, this should be enough for initial investigation.

Sample Output

Comparison to Mandiant RedLine

Based on above comparison table, both Mandiant and self-made script can work for initial forensics investigation. Mandiant RedLine has more features available. Therefore, Mandiant RedLine is more suitable to be used in an actual/thorough investigation. However, although it is offered as freeware, the source code of Mandiant RedLine is not open. Therefore, we don’t know how exactly it works. However, preparing self-made script that covers all Mandiant RedLine features is an exhaustive task. Then for small organization, it is better to use readily made tool such as Mandiant RedLine.

For bigger organization that has more manpower to prepare their own tool, it might be better to prepare their own tool to make sure they really know how it works. However, as this kind of tool will be needed by many organizations, the best approach is to develop an open source version of the tool. That way, many organizations can collaborate on improving the tool. That way, developing a tool that covers comparable features as Mandiant RedLine will be easier. Moreover, we will know exactly how it works. Based on my search, I found that there are at least two mature open source forensics tools available. They supports adding custom modules and backed by a commercial company for support. They are:

  1. SANS Investigative Forensic Toolkit (http://digital-forensics.sans.org/community/downloads)
  2. The Sleuth Kit and Autopsy (http://www.sleuthkit.org/, http://www.basistech.com/digital-forensics/autopsy/)

They offer comparable features to Mandiant RedLine, they are open source, and companies that backed them also provide commercially supported version. Autopsy’s early funding from the U.S. Army and current funding from DHS S&T have allowed it to be focused on ease of use. Bigger organization may want to use them with commercial support. Smaller organization may use them without commercial support. They can also test them freely and request commercial support only when needed. However, there is also a problem with open source. Attackers can learn the source code of the tool and prepare themselves to circumvent it.

Best answer to this problem is outlined in this article by David A. Wheeler Ph.D., an expert in writing secure programs, “Is Open Source Good for Security?“ http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/open-source-security.html. The summary is, open source is better for security. It will force us to write code to follow standardized method. Moreover, although both attacker and defender can take a look at it, as more people are looking at it, there are more chances to spot a vulnerability and to fix it immediately.