Scenario#1 You come up to a desktop computer that you have legal authority to forensically analyze. The computer is powered up but sitting at the Windows Login Screen. No chance to get an image of the RAM so you pull the plug from the back of the machine and retreat to the lab. At the lab you discover that the hard drive has been encrypted with BITLOCKER. What could you have done different at the scene to possibly obtain more information from the computer prior to shut down?
Scenario#2 A desktop computer running Vista is on and logged in with no apparent encryption. You attempt to dd the RAM (with any tool of your choice) to no avail, why? Because no matter the tool you use it requires an Administrator Username and Password that you do not have. So your choice is simple just pull the cord from the back of the case in frustration.
As you know, there are no currently available tools (or protocols) to acquire RAM while the machine is at the Windows Login Screen. There is also some VISTA Builds that require an Administrator Username and Password to make a image of the RAM. Here’s a new protocol that might work in these situtation and that I call the “Guillotine Method” for RAM Acquisition.
Basically GUILLOTINE runs on the following idea. Instead of pulling the power cord from the back of the machine, pull the power cord from the back of the hard drive running the OS, thereby stopping all writes to the drive. Then (fast as possible) reboot the machine into your favorite flavor of Knoppix (Command Line Mode) and dd the RAM Memory to USB.
Even if a USER had recently booted up the machine you still might find the SAM and SYSTEM files in the memory. If a USER recently logged out then you might have a ton of information including the NTUSER.DAT, $MFT and other files valuable to your investigation. (Remember if you have the SAM and SYSTEM (SYSKEY) files you have a chance to get the USERNAMES and PASSWORDS which could be another piece of the forensic puzzle)
According to Chow, Farmer and Venema- “…Computer People who know more then I!”
• “Although most computers automatically zero main memory upon rebooting- many do not. This is generally independent of the OS”
• “Motherboards fueled by Intel CPUs tend to have BIOS settings that clear main memory upon restart, but there is no requirement for this to happen”
So the Guillotine Method does not work in all cases but it works better then just pulling the plug from the back of the machine and calling it quits. So far I have had a laboratory success rate of approximately 60% on various machines (requires a more systematic approach to testing). It seems to work more frequently on higher-end machines with more RAM then on older machines with less RAM. Also machines with RESET buttons seem to work better then trying to hammer on the power buttons to get the computer to reboot.
You can also remove the cord from the back of the machine (after pulling the power on the hard drive) and reboot. But taking the power cord out and putting it back in (as fast as you can) usually degrades the data in the RAM (a number off the top of my head is 10-15% degradation – also needs a more systemic approach to testing). Which is still better chances then what we had before which was zero.
I came up with the term Guillotine because after you pull the power plug from the hard drive Windows will still respond for a second of two. “The lights are on but no one is home…”
This method is extreme and has not been thoroughly tested. It could be dangerous putting your hand into a live machine and removing the power from a live drive. For a great example ---When I tried this at home on my kids crappy little computer I stuck my hand into the motherboard fan while it was running. I didn’t hurt my hand but I bent the metal blades of my fan (Thanks to Steph B. for the replacement). BTW the Guillotine Method didn’t work on that machine.
I haven’t tried this method with any laptops (yet) .
Perform the “Guillotine Method” Ram Capture at Your Own Risk.
Not Responsible for any damage, problems or loss.
--------------------You make Your Own Choices- Take Responsibility for Them---------------
Thanks to Matt P. for his Help on This!!!
9 comments:
"pull the power cord from the back of the hard drive running the OS, thereby stopping all writes to the drive"
Why is this necessary? What's the significance of stopping all writes to the hdd? Will a computer reset not achieve the same thing? Just reboot directly into linux and dd RAM to usb?
I am curious about the rationale behind the step of removing power from the hdd... please explain.
Thanks!
I remove the HDD Cable for my piece of mind. As a forensic examiner one of my biggest concerns is not writing to the hard drive. I think this is a basic premise that we can all agree. By pulling the hdd cable I take the hdd out of the equation. So during the reboot if I not entirely sure which key to press to get into the BIOS / to alter the boot order or If I miss entirely I do not perform any writes to the hdd
Another similar example would be removing all hhd cables prior to booting a machine using an Encase (Linux) Boot Disk to do a network acquisition or preview. Using Guidance Software’s instructions, as a standard for current (best) practices, disconnecting the hdd for a “test” mode prior to going live with the boot disk is the correct procedure. (http://www.guidancesoftware.com/support/articles/EnCase_network.asp)
I see where you are coming from now. My concern is the act of pulling the power from the hdd could potentially short either the hdd and/or the motherboard/system. I think it's relatively safe to perform this action on newer hdd's like sata drives as they are even hot swappable. But on older pata drives, there's a real risk of damaging the drive or motherboard/computer or otherwise causing undesired hardware issues by suddenly removing the power cable from the hdd (I found this out the hard way). But there appears to be no alternative to this. It's a trade off between preventing hdd writes and getting to that data in the RAM quickly. Of course the safest thing to do is to shut off the machine, quickly disconnect the hdd power and data cable then restart the machine. But by that time, the data in the RAM may be completely degraded to render the exercise useless.
Thanks for your explanation. But I couldn't find a reference to performing the "test" mode step as best practice at the link provided (http://www.guidancesoftware.com/support/articles/EnCase_network.asp). Is that the correct link?
nd4spd
Guidance doesn't call it "test" mode they just label as step 1A at http://www.guidancesoftware.com/support/articles/EnCase_network.asp.
I agree that there is a possibility of damage but by the time I get to a machine I have legal authority to confiscated it (a suspect’ machine)so I have less concern about damage as long as I am reasonable in my collection process (I feel acquiring RAM is Reasonable!!!). Sometimes we break down doors to get machines, so...
The “Guillotine” trick is really for a” hostile” machine also known as the suspect’s machine. If it is a victim’s machine I’ll just use Knttools or dd. Knttools is the only tool I known that collects RAM in Vista but you need an Admin Username and Password (on the more robust versions of Vista). Not a problem for victim’s machines but I might not have that on a hostile machine.
I have also experimented with pulling the cord from the back of the machine and replacing as fast as possible to reboot the machine but have found some degradation. To pull a unscientific number out I would estimate a 10% value of degradation. That is of course with RAM Chips at running temperature.
Rick
Just Curious, what tool do you use to dump the ram after the reboot ? Can you recommend a very small footprint linux boot cd / USB key ?
Mialta
Michael I like DSL (Damn Small Linux) CD booting into command line mode (option #2 in DSL).
Have you tried analyzing any dumps retrieved by this method using Volatility?
Which mainboard did you use? I've tried 4 boards (Asus M2NPV-VM, Asus P5B, Asus P5Q Deluxe and a OEM-Board with a Celeron M) but they are all clearing RAM at startup.
Nice and very helpful information i have got from your post. Even your whole blog is full of interesting information which is the great sign of a great blogger.
Acer - 11.6" Chromebook - 4GB Memory - 320GB Hard Drive - Iron Gray
Acer - 11.6" Chromebook - 4GB Memory - 320GB Hard Drive - Iron Gray (C710-2487)
Post a Comment