In addition to CIRCL TR-22 - Recommendations for Readiness to Handle Computer Security Incidents, TR-30 provides a list of evidence acquisition support tools which can be used by Local Incident Response Teams (LIRT). The tools can be used in order to gather forensic evidences from Microsoft Windows systems including memory, registry or other evidences.
We recommend to acquire evidences on the running systems, especially memory and registry evidences. In case of encrypted disks or hardware RAIDs, we recommend to do live disk acquisition before the shutdown of the system. If the system is not encrypted, we recommend an off-line disk acquisition, if possible with a write-blocker device. In order to test if a disk is encrypted, the EDD tool mentioned below can help you.
We advice to have at least one, better several USB sticks prepared on stock. In case of an incident response you just have to fetch one of the sticks and you are ready to start.
The USB stick should fulfill some essential requirements. To save time, It should at least be USB 3.0. You have to capture several GByte of data and need to work fast. It would be a pain to wait endless for the data transfer.
The USB stick need to provide enough space to store all the tools listed in this report, one or even more memory dumps and sometimes even some live acquisition data like system registry, event logs, prefetch files and alike.
The file system needs to support large files. A FAT file system sounds like a good choice but the FAT32 only supports file up to 4 GByte. This is not enough for a memory dump this days anymore. The exFAT file system supports large files and is supported by most computers. This is the file system of our choice.
This are the steps to prepare the USB stick: 1. Wipe the device. 2. Download all the tools mentioned below. 3. Verify integrity of the downloads. 4. Unpack the tools onto the USB stick into a sub-folder 5. Create an image of the USB stick.
With an image available it’s much more quick to prepare the stick for the next incident.
Memory Acquisition: DumpIt
A quick and easy command line tool to acquire a raw memory dump of several Microsoft Windows versions. DumpIt is part of Comae-Toolkit and support several architectures like ARM64, x64 and x86.
Comae-Toolkit is free for personal usage but a registration is required.
Version: Comae-Toolkit-3.0.20201127 (by today 2020.12.16)
cd Z:\comae\x86\ DumpIt.exe /OUTPUT memory_20201215_1138.bin -- Press y to write the memory dump into the working directory
Memory and Live Acquisition: FTK Imager Lite
FTK Imager Lite is a GUI-based software to acquire physical disk images.
On running Windows systems it also supports the acquisition of memory and logical system images including registry, event logs and alike.
FTK Imager Lite is free but a registration is required.
Version: FTK Imager Lite 3.1.1 (by today 2020.12.16)
Download: FTK Imager Lite
Usage: GUI based
Encrypted Disk Detector: EDD
To capture a physical disk image, you have to shut down the computer or reboot from an external drive.
If the disk is protected by full disk encryption and you don’t have access to the passphrase, you will end up with no data to be analyzed.
EDD (Encrypted Disk Detector) is a command line tool to check for encrypted volumes (TrueCrypt, PGP, Bitlocker and others). But encrypted containers stored as files on the file-system won’t be detected.
EDD is free but a registration is required.
Version: EDD v3.0.1 (by today 2020.12.16)
cd d:\EDDv301\\ EDDv301.exe /accepteula
Sysinternals Suite is a collection of native Microsoft tool which are very useful when performing ‘Live Analysis’. The entire set of Sysinternals tools are collected in a single archive.
All Sysinternals tools are free.
Version: November 04, 2020 (by today 2020.12.16)
Download: Sysinternals Suite
Usage: Sysinternals Suite
Security Scanner: Nmap
Nmap started as the most popular port scanner. In the mean while it’s functionality goes fare beyond. Equipped with a scripting language and additional supporting tools it turned into a real security scanner.
While having a security scanner on board is useful, Nmap comes along with a very useful command line tool ‘ncat’. Ncat is a new developed tool inspired by the legendary NetCat also known the ‘Swiss Army Knife’ networking tool.
Ncat can be used to transport information from the computer to be analyzed, over the network to your own workstation. There is a command line version of Nmap for Windows which is free.
Version: Nmap 7.91 (by today 2020.12.16)
Usage: Open a NetCat listener on your workstation on port 9999:
nc -k -l 9999 >> analysis_20201216_1509.txt
Extracting live data from the suspicious PC to IP address 192.168.1.2:
echo "Date and Time" | ncat.exe 192.168.1.2 9999 date /t | ncat.exe 192.168.1.2 9999 time /t | ncat.exe 192.168.1.2 9999 echo "--------------------" | ncat.exe 192.168.1.2 9999
If you open an incident ticket and need more support regarding the forensic acquisition, feel free to contact us.
Classification of this document
TLP:WHITE information may be distributed without restriction, subject to copyright controls.
- Version 1.1 - TLP:WHITE - December 16, 2020
- Version 1.0 - TLP:WHITE - First version (included in the CIRCL incident response USB key)