Picking up where we left off in the last post, Quick Incident Response Techniques, we are about to connect to the hard drive and memory of a remote system. In this case a Windows 2000 VMware image. Our goals are to collect system information that will be helpful during an incident response.
At this point we have used the F-Response Enterprise Management Console (FEMC) to connect to the remote system. Now we are going to access these resources.
Login requests are performed by selecting the system disk or memory to access and the selecting Connect → Login to F-Response.
Successful logins will be represented by the blue F-Response icon. Selected disks and memory can now be accessed by any number of methods from the local operating system to data acquisition programs such as EnCase, FTK, FTK Imager, and ProDiscover, just to name a few. Analysts should note that the Connect tab in the FEMC now displays a Physical Drive location on the local system. Another welcome improvement in this new version.
Once connected to a remote system the local operating system will attempt to provide a local drive letter to all partitions whose file system it understands. To help identify which drive letters have been assigned to these partitions the local system’s Disk Manager can be used. Once the Disk Manager has been opened, if the remotes system’s memory has been connected, or if the local system does not recognize the remote file system it may notify the user with a request to format the remote disk. As all disks are mounted as Read-only devices this should not be a problem, but selecting Cancel is the recommended action.
Disk Manager should now display all of the connected Physical Drives as well as any drive letters that have been assigned to them.
Now that the remote systems disk and memory are accessible as local Physical Drives, as mentioned previously, any data analysis tool can be used to collect the information provided by these drives. One freely available tool that is capable of connecting to Physical Drives is AccessData’s FTK Imager.
To connect FTK Imager to Physical Drives an analyst only has to press the icon with the green plus symbol. This will produce the Select Drive window. Because of the new markings provided by FEMC each Physical Drive is clearly marked as to the remote system and Physical Drive number making it easy for analysts to keep track of the resources with which they are working.
Once connected to a remote drive using FTK Imager the analyst can review the information on the remote system and either acquire the full system or pull individual files including those that are normally locked by the operating system.
To create an image of memory the analyst only has to right click on the Physical Drive representing the remote system’s memory and select Export. This will pop-up the Create Image window which will allow the analyst to select the location to store the bit-stream image of memory.
Accessing files on Physical Drives that have been assigned Drive Letters does not require any special tools. As long as the local operating system understands the file structure the individual files and folders can be accessed through the Windows Explorer. This is a Read-only access that will allow the analyst to copy selected files out to their designated storage location. Unlike many data acquisition tools, however, the origin and other information pertaining to the copied file will not be saved for future use. Analysts will have to keep their own detailed notes when using this method of file access and collection. This type of access also allows for the use of many tools installed on the local system. Malware analysis is a great example. Anti-virus scanners or the Gargoyle tool can be pointed to this Drive Letter to perform their malware analysis.
It should be noted, however, that reviewing some files and folders using this method may not be possible without elevated privileges. The local system is still going to honor setting such as those files and folders marked as “hidden.” To over come this limitation using the Windows Command Shell and programs such as SysInternal’s PSEXEC may be necessary.
But more on that later. For now I think this is enough.
Go forth and do good things,
Don C. Weber
Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.