TR-30 - Acquisition Support Tools for Local Incident Response Teams (LIRT)

Overview

In addition to CIRCL TR-22 - Recommendations for Readiness to Handle Computer Security Incidents, TR-30 provides a list of evidence acquisition support tools which can be used by Local Incident Response Teams (LIRT). The tools can be used in order to gather forensic evidences from Microsoft Windows systems including memory, registry or other evidences.

We recommend to acquire evidences on the running systems, especially memory and registry evidences. In case of encrypted disks or hardware RAIDs, we recommend to do live disk acquisition before the shutdown of the system. If the system is not encrypted, we recommend an off-line disk acquisition, if possible with a write-blocker device. In order to test if a disk is encrypted, the EDD tool mentioned below can help you.

Be prepared

We advice to have at least one, better several USB sticks prepared on stock. In case of an incident response you just have to fetch one of the sticks and you are ready to start.

The USB stick should fulfill some essential requirements. To save time, It should at least be USB 3.0. You have to capture several GByte of data and need to work fast. It would be a pain to wait endless for the data transfer.

The USB stick need to provide enough space to store all the tools listed in this report, one or even more memory dumps and sometimes even some live acquisition data like system registry, event logs, prefetch files and alike.

The file system needs to support large files. A FAT file system sounds like a good choice but the FAT32 only supports file up to 4 GByte. This is not enough for a memory dump this days anymore. The exFAT file system supports large files and is supported by most computers. This is the file system of our choice.

This are the steps to prepare the USB stick: 1. Wipe the device. 2. Download all the tools mentioned below. 3. Verify integrity of the downloads. 4. Unpack the tools onto the USB stick into a sub-folder 5. Create an image of the USB stick.

With an image available it’s much more quick to prepare the stick for the next incident.

Memory Acquisition: DumpIt

A quick and easy command line tool to acquire a raw memory dump of several Microsoft Windows versions. DumpIt is part of Comae-Toolkit and support several architectures like ARM64, x64 and x86.

Comae-Toolkit is free for personal usage but a registration is required.

Version: Comae-Toolkit-3.0.20201127 (by today 2020.12.16)

Download: Comae-Toolkit

MD5: 056cb0d48b140ab9f31de2c083cf0cc7

SHA1: df0e34e56670fcf03bec4641d3b025eb3e6c70e3

Usage:

cd Z:\comae\x86\
DumpIt.exe /OUTPUT memory_20201215_1138.bin
-- Press y to write the memory dump into the working directory

Memory and Live Acquisition: FTK Imager Lite

FTK Imager Lite is a GUI-based software to acquire physical disk images.

On running Windows systems it also supports the acquisition of memory and logical system images including registry, event logs and alike.

FTK Imager Lite is free but a registration is required.

Version: FTK Imager Lite 3.1.1 (by today 2020.12.16)

Download: FTK Imager Lite

MD5: 4de49f1fdbb27a293d04e8569abc2640

SHA1: 10e4b44420f78f5bf1bbb4360f4b124d074c9fe6

Usage: GUI based

Encrypted Disk Detector: EDD

To capture a physical disk image, you have to shut down the computer or reboot from an external drive.

If the disk is protected by full disk encryption and you don’t have access to the passphrase, you will end up with no data to be analyzed.

EDD (Encrypted Disk Detector) is a command line tool to check for encrypted volumes (TrueCrypt, PGP, Bitlocker and others). But encrypted containers stored as files on the file-system won’t be detected.

EDD is free but a registration is required.

Version: EDD v3.0.1 (by today 2020.12.16)

Download: EDDv301

MD5: 8984973bb318d5cb40b72bac9425d571

SHA1: 2597cfc0f012c043952635c49682d6b435a4e56c

Usage:

cd d:\EDDv301\\
EDDv301.exe /accepteula

Sysinternals Suite

Sysinternals Suite is a collection of native Microsoft tool which are very useful when performing ‘Live Analysis’. The entire set of Sysinternals tools are collected in a single archive.

All Sysinternals tools are free.

Version: November 04, 2020 (by today 2020.12.16)

Download: Sysinternals Suite

MD5: 3bc9e27950d0f3ab29a7fb474e4daaa1

SHA1: 60277a0e85e70aaa6088dafb10a110fad6ba745e

Usage: Sysinternals Suite

Security Scanner: Nmap

Nmap started as the most popular port scanner. In the mean while it’s functionality goes fare beyond. Equipped with a scripting language and additional supporting tools it turned into a real security scanner.

While having a security scanner on board is useful, Nmap comes along with a very useful command line tool ‘ncat’. Ncat is a new developed tool inspired by the legendary NetCat also known the ‘Swiss Army Knife’ networking tool.

Ncat can be used to transport information from the computer to be analyzed, over the network to your own workstation. There is a command line version of Nmap for Windows which is free.

Version: Nmap 7.91 (by today 2020.12.16)

Download: Nmap

MS5: a8eedc0e7234ade22451ffc7e4047db6

SHA1: 462bfb0f7a7880fbdc05987994a65fc44d716654

Usage: Open a NetCat listener on your workstation on port 9999:

nc -k -l 9999 >> analysis_20201216_1509.txt

Extracting live data from the suspicious PC to IP address 192.168.1.2:

echo "Date and Time" | ncat.exe 192.168.1.2 9999
date /t | ncat.exe 192.168.1.2 9999
time /t | ncat.exe 192.168.1.2 9999
echo "--------------------" | ncat.exe 192.168.1.2 9999

Contact

If you open an incident ticket and need more support regarding the forensic acquisition, feel free to contact us.

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.1 - TLP:WHITE - December 16, 2020
  • Version 1.0 - TLP:WHITE - First version (included in the CIRCL incident response USB key)