{ "id": "c666fcd4-22e2-48df-9716-4f71cf7824d6", "name": "How to Acquire Data", "slug": "how-to-acquire-data", "status": "published", "lab_type": "pta", "is_sample": false, "duration_in_seconds": 1800, "metadata": { "courses": [ "bc2aa944-1a9f-4fe5-8dcf-3ec6b4b09065" ], "pta_sdn": "62", "pta_namespace": "my.ine", "learning_paths": [], "has_published_parent": true }, "session": null, "company": "a491bc32-c056-4946-9169-cc053387bada", "created": "2022-03-28T19:13:47.788329Z", "modified": "2024-04-30T14:27:49.852864Z", "is_beta": false, "lab_objectives": [], "main_learning_area": "3e1aa06f-2e9f-4789-b50d-aa027ad8dcfa", "learning_areas": [ { "id": "3e1aa06f-2e9f-4789-b50d-aa027ad8dcfa", "name": "Cyber Security", "slug": "cyber-security" } ], "categories": [], "tags": [], "difficulty": null, "is_web_access": false, "is_lab_experience": false, "is_featured": false, "cve": null, "severity": null, "year": null, "classification": null, "external_url": "", "solution_video": null, "explanation_video": null, "description": "# How to Acquire Data\n\n# Scenario\n\nIn these exercises, we will go through the process of collecting the most important data from a live Windows system, in order to start initial analysis and imaging the whole system for further analysis and investigations.\n\nThe scope of this lab is a hard disk drive with a Windows operating system installed on it.\n\n# Goals\n\n- Collect volatile data\n- Create a custom forensic image\n- Create a full system image\n- *Bonus: Perform Automated Live Response*\n\n# What you will learn\n\n- How to collect volatile data\n- How to dump the contents of the memory\n- Why and how to create a custom forensic image\n- How to create a full system forensic image\n- How to perform automated live data acquisitions\n\nTo guide you throughout the lab process, you will find different Tasks. Tasks are designed for educational purposes, as well as to show you the usage of different tools and different methods to achieve the same goal. Please note that Tasks are not meant to be used as a methodology.\n\nArmed with the knowledge acquired from the content and the skills acquired from the Task(s), you can achieve the Lab goal. If this is the first time doing a lab, we advise that you follow these Tasks.\n\nOnce you have completed all Tasks, you can proceed to the end of the lab manual and check the solutions.\n\n# Recommended tools\n\n- **AccessData FTK-Imager**\n- **Different Windows CLI Commands and Tools**\n- **BriMor Labs Windows Live Response Collection toolkit**", "description_html": "

How to Acquire Data

\n

Scenario

\n

In these exercises, we will go through the process of collecting the most important data from a live Windows system, in order to start initial analysis and imaging the whole system for further analysis and investigations.

\n

The scope of this lab is a hard disk drive with a Windows operating system installed on it.

\n

Goals

\n\n

What you will learn

\n\n

To guide you throughout the lab process, you will find different Tasks. Tasks are designed for educational purposes, as well as to show you the usage of different tools and different methods to achieve the same goal. Please note that Tasks are not meant to be used as a methodology.

\n

Armed with the knowledge acquired from the content and the skills acquired from the Task(s), you can achieve the Lab goal. If this is the first time doing a lab, we advise that you follow these Tasks.

\n

Once you have completed all Tasks, you can proceed to the end of the lab manual and check the solutions.

\n

Recommended tools

\n", "tasks": "# Tasks\n\n## Task 1: Collecting Volatile Data Manually\n\nEvidence acquisition is one of the most important tasks to be done in order to start your investigation. Since part of computers' nature is that data is not always consistent, especially those that are volatile, we need to start our data collection process by acquiring the volatile evidence first.\n\nFor this task, create a directory to store all acquired evidence, and gather the following data:\n\n1. Date and Time\n2. Currently running tasks\n3. Current network connections\n4. ARP Cache\n5. Network Configurations\n6. DNS and Routing Table\n7. System Variables\n8. User Information\n9. Network Shares\n10. System Information\n\nStore all information in the same file with the prefix of the acquisition date (ex: **LiveIR-050517.txt**), and by redirecting your command result's output with the double arrows \"**>>**\" (ex: **cmd >> file.txt**).\n\n## Task 2: Dumping the System's Memory\n\nFor this task, let's assume that we want to dump the system's memory (make a copy) so we can perform memory forensic investigations later on. Use the FTK Imager tool to acquire the memory of the suspect's machine.\n\nCompare the size of the memory image and the size of the actual system's memory, and make sure they match!\n\n## Task 3: Creating a Custom Forensic Image\n\n**Important:** You don't need Task 2 to go to Task 3 or Task 4. Note that if you perform Task 2, then storage will be full. Before proceeding to Task 3, Reset the lab (Stop Button then Reset button) -> space is now freed -> go straight to Task 3 or Task 4. You don't need Task 2 that will fill up the space. \n\n------------------\n\nIn this task, we will continue to use AccessData's FTK Imager to create an image file of specific system files to use for analysis. The custom image and files could be used to start the investigation process until a full system image comes through, if possible.\n\nLet's assume that the suspect's system that we want to gather information from already has an external drive (ex: USB) containing all required tools plugged into it. In a real-life scenario, the only difference will be that you will be plugging in your own USB thumb drive and running FTK-Imager from there.\n\nIn this task, create a custom image and make sure you gather the following:\n\nI. File System Files\n\nII. Windows Registry Files\n a. SAM\n b. SYSTEM\n c. SOFTWARE\n d. SECURITY\n e. DEFAULT\n\nIII. Recycle Bin Files\n\nIV. Log Files (evtx, log, etc.)\n\nV. Link Files (.lnk)\n\nVI. Cache Files (RecentFileCache.bcf)\n\nVII. User Files\n\nVIII. Task Files\n\nFinally, don't forget to encrypt the data gathered.\n\n**Important**: You shouldn't add the AdminELS user's directory to the image. He is the user that was given to you to do the investigation. No need to investigate this account. Consider it clean....\n\n## Task 4: Creating a Full System Image\n\nIn this task, we will be showing you how you could use AccessData's FTK Imager to create a forensic image file of the entire hard disk drive. An image file is a bit-stream copy ***(forensic copy***) of the source physical drive. Various forensic analysis suites can open and examine FTK Image Files like AccessData's Forensic Toolkit, EnCase, Digital Forensics Framework, OSForensics, and Autopsy (***more on this suite later***) to only name a few.\n\n**Note:** For performance reasons, you are not required to take a forensic image of the Win10 machine's C: drive; this would take hours to complete, and there is not enough space to save the forensic image. This task's purpose is to show you how you could take a forensic image of a machine's entire disk, in a step-by-step manner.\n\n**Make sure you understand the difference between this task and Task \\#3.**\n\n## Task 5: Automated Live Response\n\nIn this part of the lab, you are asked to use the BriMor Labs Windows Live Response Collection toolkit. One of the great benefits of using BriMor's Windows Live Response toolkit is that even if you forgot to choose a specific artifact to acquire and add to your evidence image, the toolkit will acquire it automatically for you. The toolkit is being regularly updated with new tools and files to acquire.\n\nUse the toolkit to run a live acquisition of system and user artifacts securely.", "tasks_html": "

Tasks

\n

Task 1: Collecting Volatile Data Manually

\n

Evidence acquisition is one of the most important tasks to be done in order to start your investigation. Since part of computers' nature is that data is not always consistent, especially those that are volatile, we need to start our data collection process by acquiring the volatile evidence first.

\n

For this task, create a directory to store all acquired evidence, and gather the following data:

\n
    \n
  1. Date and Time
    2. \n
  2. Currently running tasks
    3. \n
  3. Current network connections
    4. \n
  4. ARP Cache
    5. \n
  5. Network Configurations
    6. \n
  6. DNS and Routing Table
    7. \n
  7. System Variables
    8. \n
  8. User Information
    9. \n
  9. Network Shares
    10. \n
  10. System Information
    11. \n
\n

Store all information in the same file with the prefix of the acquisition date (ex: LiveIR-050517.txt), and by redirecting your command result's output with the double arrows \">>\" (ex: cmd >> file.txt).

\n

Task 2: Dumping the System's Memory

\n

For this task, let's assume that we want to dump the system's memory (make a copy) so we can perform memory forensic investigations later on. Use the FTK Imager tool to acquire the memory of the suspect's machine.

\n

Compare the size of the memory image and the size of the actual system's memory, and make sure they match!

\n

Task 3: Creating a Custom Forensic Image

\n

Important: You don't need Task 2 to go to Task 3 or Task 4. Note that if you perform Task 2, then storage will be full. Before proceeding to Task 3, Reset the lab (Stop Button then Reset button) -> space is now freed -> go straight to Task 3 or Task 4. You don't need Task 2 that will fill up the space.

\n
\n

In this task, we will continue to use AccessData's FTK Imager to create an image file of specific system files to use for analysis. The custom image and files could be used to start the investigation process until a full system image comes through, if possible.

\n

Let's assume that the suspect's system that we want to gather information from already has an external drive (ex: USB) containing all required tools plugged into it. In a real-life scenario, the only difference will be that you will be plugging in your own USB thumb drive and running FTK-Imager from there.

\n

In this task, create a custom image and make sure you gather the following:

\n

I. File System Files

\n

II. Windows Registry Files\n a. SAM\n b. SYSTEM\n c. SOFTWARE\n d. SECURITY\n e. DEFAULT

\n

III. Recycle Bin Files

\n

IV. Log Files (evtx, log, etc.)

\n

V. Link Files (.lnk)

\n

VI. Cache Files (RecentFileCache.bcf)

\n

VII. User Files

\n

VIII. Task Files

\n

Finally, don't forget to encrypt the data gathered.

\n

Important: You shouldn't add the AdminELS user's directory to the image. He is the user that was given to you to do the investigation. No need to investigate this account. Consider it clean....

\n

Task 4: Creating a Full System Image

\n

In this task, we will be showing you how you could use AccessData's FTK Imager to create a forensic image file of the entire hard disk drive. An image file is a bit-stream copy (forensic copy) of the source physical drive. Various forensic analysis suites can open and examine FTK Image Files like AccessData's Forensic Toolkit, EnCase, Digital Forensics Framework, OSForensics, and Autopsy (more on this suite later) to only name a few.

\n

Note: For performance reasons, you are not required to take a forensic image of the Win10 machine's C: drive; this would take hours to complete, and there is not enough space to save the forensic image. This task's purpose is to show you how you could take a forensic image of a machine's entire disk, in a step-by-step manner.

\n

Make sure you understand the difference between this task and Task #3.

\n

Task 5: Automated Live Response

\n

In this part of the lab, you are asked to use the BriMor Labs Windows Live Response Collection toolkit. One of the great benefits of using BriMor's Windows Live Response toolkit is that even if you forgot to choose a specific artifact to acquire and add to your evidence image, the toolkit will acquire it automatically for you. The toolkit is being regularly updated with new tools and files to acquire.

\n

Use the toolkit to run a live acquisition of system and user artifacts securely.

", "published_date": "2020-10-20T15:32:26Z", "solutions": "# Solutions\n\n## Task 1: Collecting Volatile Data Manually\n\nFirst, connect to the Win10 machine using the credentials provided on page three and then, create a directory on the desktop named \"**Cases**.\" After that, inside that directory, create another directory named \"**Case01-PolicyViolation**\". All our work on the current case will be saved in this newly created directory.\n\nIn this part of the lab, we will be running a couple of CLI commands to gather as much of the volatile information from the system as possible. The commands used in this lab are not the whole list of commands, but they are the most commonly used.\n\nStart your command line (cmd.exe); I assume you know how to do that? We will be redirecting all our command results the output to a file named \"*liveIR-050517.txt*\".\n\n**[Note:]** Make sure that you start using the double arrows \"**>>**\" from the second command when redirecting your output to the \"liveIR-050517.txt\" file.\n\nThe first command we will use is to store the date and time of the system.\n\n```\n# echo %date% %time% > liveIR-050517.txt\n```\n\nNow let's take a snapshot of the currently running tasks:\n\n```\n# tasklist >> liveIR-050517.txt\n# tasklist /m >> liveIR-050517.txt\n# tasklist /svc >> liveIR-050517.txt\n```\n\n\nNow let's take a snapshot of the currently available network connections:\n\n```\n# netstat -nao >> liveIR-050517.txt\n```\n\n\nNow, the currently available MAC addresses that are in the system's ARP Cache:\n\n```\n# arp -a >> liveIR-050517.txt\n```\n\n\nThe system's network configuration:\n\n```\n# ipconfig /all >> liveIR-050517.txt\n```\n\n\nThe DNS configurations:\n\n```\n# ipconfig /displaydns >> liveIR-050517.txt\n```\n\n\nRouting configurations:\n\n```\n# route print >> liveIR-050517.txt\n```\n\n\nWhat system variables have been set:\n\n```\n# set >> liveIR-050517.txt\n```\n\n\nSystem user information too:\n\n```\n# net user %username% >> liveIR-050517.txt\n# net user >> liveIR-050517.txt\n```\n\n\nThe system's network shares:\n\n```\n# net share >> liveIR-050517.txt\n```\n\n\nGeneral workstation information:\n\n```\n# net config workstation >> liveIR-050517.txt\n```\n\n\n\nAnd finally the general system information:\n\n```\n# systeminfo >> liveIR-050517.txt\n```\n\n## Task 2: Dumping the System's Memory\n\nAcquiring a memory image using FTK Imager, is very simple and straightforward. To do that, follow the steps below:\n\n1. First, make sure you open AccessData's FTK Imager [You can find it on the Desktop].\n2. Now go to File -> Capture Memory\n3. A window like the one below will pop-up.
\n![1](https://assets.ine.com/content/ptp/lab_1_how_to_acquire_data/1.png)\n4. In the \"**Destination path:**\" field, click on Browse and choose the\\ directory you created for this case \"**Case01-PolicyViolation**\".\n5. Under the case directory, make a new directory for the volatile data.\n6. In the \"**Destination filename:**\" field, make sure you name the memory as: Case1Memdump.mem

\n**Note:** since we won't be going through memory forensics during this course, we can leave the *pagefile.sys* unchecked and not include it within our acquisition.

\n7. When you finish all the steps above, click on the \"**Capture Memory**\" button.\n8. Wait until the acquisition is complete to move to the next step.\n\n## Task 3: Creating a Custom Forensic Image\n\nIn this lab, we will continue to use AccessData's FTK Imager to create an image file of specific system files to use for analysis. The custom image and files will be used to start the investigation process until a full system image comes through if possible. To create a custom forensic image, do the following:\n\n1. First, start by opening FTK Imager. A window, like the screenshot displayed below, will appear:
\n![2](https://assets.ine.com/content/ptp/lab_1_how_to_acquire_data/2.png)\n2. Now either go to **File** -> \"**Add Evidence Item**\" or click on the first icon with a single green plus on it. Both will lead to the same as the window seen below
\n![3](https://assets.ine.com/content/ptp/lab_1_how_to_acquire_data/3.png)\n3. At this step, select the first choice titled \"**Physical Drive,**\" since we want to not only deal with the available files but even those that might have been deleted, and then click **Next**.\n4. From the drop-down list, make sure you choose the correct drive, especially if there are more than one drive on the system and then click **Finish**.\n5. Now, let's navigate inside the system and extract the files that we will be using for our analysis. Expand the second partition and make sure you are inside the \"**[root]**\" directory. You should see something similar to the image below.
\n![4](https://assets.ine.com/content/ptp/lab_1_how_to_acquire_data/4.png)\n6. I assume you are aware that the first partition is the one that Windows uses to store the system files (remember when installing Windows, the installer will create two partitions, a hidden reserved partition and the system drive \"C:\")\n7. Let's start the process of creating a custom image for the Windows system of our interest. Windows has different artifacts stored in different places. In this lab, if some of the artifacts that you will be extracting seem vague to you, don't worry, we will come to them later in the course and we will explain them in detail.\n8. The artifacts of interest can be categorized as:\n\n a. File System Files\n\n b. Windows Registry Files\n\n c. Recycle Bin Files\n\n d. Log Files\n\n e. Link Files\n\n f. User Files\n\n g. Task Files\n\n9. The first artifacts we will add to our custom image is the file system files: $MFT, $LogFile, $UsnJrnl. The first two files $MFT and $LogFile can be found immediately on the root of the file system (directly under the C:\\\\ drive). Select the first file, then press the \"**Ctrl**\" key and select the other. Now, right click on the selection and choose \"**Add to Custom Content Image (AD1)**\". The figures below both represent the actions that have been done.
\n![5](https://assets.ine.com/content/ptp/lab_1_how_to_acquire_data/5.png)\n
\n![6](https://assets.ine.com/content/ptp/lab_1_how_to_acquire_data/6.png)\n
\n10. Navigate to \"**C:\\\\Windows\\\\System32\\\\Config**\" and select the files below, then add them to the custom image the same way by right-clicking on -them and \"**Add to Custom Content Image (AD1)**\":\n\n a. SAM\n\n b. SYSTEM\n\n c. SOFTWARE\n\n d. SECURITY\n\n e. DEFAULT\n\n11. Now, navigate to the \"**C:\\\\Windows**\" directory and, right-click on the \"**Tasks**\" directory and add it to the custom image.\n12. Now, let's select the Recent File Cache which we can find under the directory \"**C:\\\\Windows\\\\AppCompat\\\\Programs**\" named \"**RecentFileCache.bcf**.\" [Skip this if you can't locate it on the Win10 machine]\n13. Now, let's take a copy of the \"**setupapi.dev.log**\" file which is found under the \"**[root]\\\\Windows\\\\inf\\\\**\" directory.\n14. Now, let's take a copy of all the Windows link **(.lnk**) files and log **(.evtx**) files. On the low left corner of the FTK Imager there is a button \"**New**,\" click it. A wildcard selection ***** will be created.\n15. Now select the wildcard entry in the \"**Custom Content Sources**\" window, and click on the \"**Edit**\" button.\n16. Since we are interested in the **.lnk** files, so make sure you have \"***.lnk**\" in the white filed.\n17. Also, make sure the \"**Ignore Case**\" and \"**Match All Occurrences**\" are both selected. Then click Ok. By selecting this, it will search all of the drive for any matching occurrences and add it to the image file. With such an option, even if you don't know the exact location of the files, and all you know is the file extension, then FTK Imager will do the rest for you.
\n![7](https://assets.ine.com/content/ptp/lab_1_how_to_acquire_data/7.png)\n19. Do the same for the log files (**.evtx**) and then move on.\n20. Now, let's extract some user artifacts. Navigate to the user of interest and then right-click on the directory and add it to the custom image. Repeat this process for all the users you are interested in investigating.\n21. Now, we have all the files we need for our custom image, let's move on and create the image. In the low left corner, you can see a \"**Create Image**\" button, click it.\n22. A window similar to the one in the figure below will appear.
\n![8](https://assets.ine.com/content/ptp/lab_1_how_to_acquire_data/8.png)\n23. Now, click the \"Add\" button. A Window similar to the figure below will appear.\n![9](https://assets.ine.com/content/ptp/lab_1_how_to_acquire_data/9.png)\n24. Now, fill in the fields properly and when you finish click the **Next** button to proceed.\n a. **Case Number:** write the number of this case.\n b. **Evidence Number:** write the number which is used to represent this evidence.\n c. **Unique Description:** write what is unique about the evidence in this case.\n d. **Examiner:** write your name\n e. **Notes:** write any useful notes related to the evidence.\n25. In the new window, select the destination that you want to use to store your evidence. Usually, this will be an external drive, or a drive wiped for evidence usage. For this lab, we will be using a location on our system for storage. The figure below represents the new window.
\n![10](https://assets.ine.com/content/ptp/lab_1_how_to_acquire_data/10.png)\n26. Click on the Browse button and choose the same location you used to store the memory (the Cases\\\\Case1-PolicyViolation directory).\n27. In the \"Image Filename\" field, give the image a name. For example: triage_image.\n28. Leave the Image Fragment Size in this part of the lab to its default size \"1500\" and even the Compression ratio.\n29. Now, since handling digital evidence must be done properly and securely, or you might violate or jeopardize the privacy of the suspect, make sure you select the \"**Use AD Encryption**.\" After that, click **Finish** to proceed.\n30. A new window prompts you to enter the password that will be used for this evidence image. Use the password **DFIR4AB2016** then click Ok. (**Note:** if you forget the password, then you're on your own, especially if you choose to use another password).\n31. Before pressing **Start**, there is another useful option to select \"**Create a directory listing of all files in the image after they are created**.\" Make sure you select it and then click **Start**. Wait until the imaging process is finished.\n32. When the imaging process is complete, make sure that the imaging was successful. You can verify that by checking for the computed and reported hashes. They both must show a \"**Match**\" just like the figure below.
\n![16](https://assets.ine.com/content/ptp/lab_1_how_to_acquire_data/16.png)\n33. Close all the windows, but the last one where you will find an \"**Image Summary**\" button. Check the results there.\n34. After finishing the imaging process, in order to explore the contents, we will need to mount the forensic image. This will be done in lab \\#3.\n\n## Task 4: Creating a Full System Image\nIn this task, we will be showing you how to use AccessData's FTK Imager to create a full image file of the entire hard disk drive.\n\nWe remind you that for performance reasons you are not required to take a forensic image of the machine's C: drive; this would take hours to complete, and there is not enough space to save the forensic image. This task's purpose is to show you how you could take a forensic image of a machine's entire disk, in a step-by-step manner.\n\nTo complete this task, do the following steps:\n\n1. Make sure you have started the Access FTK.
\n![11](https://assets.ine.com/content/ptp/lab_1_how_to_acquire_data/11.png)\n2. We are taking a forensic image of the \"C:\" drive.\n3. In FTK Imager, choose **File** from the drop-down menu and then, \"**Create Disk Image**.\"\n4. When the Select Source window appears, select \"**Physical Drive**\" and **Next**.
\n![12](https://assets.ine.com/content/ptp/lab_1_how_to_acquire_data/12.png)\n5. When the Select Drive window appears, click on the drop-down menu and select the drive letter of the C: drive, for example, \"**\\\\\\\\.\\\\PHYSICALDRIVE1**\" and then click **Finish.**
\n![13](https://assets.ine.com/content/ptp/lab_1_how_to_acquire_data/13.png)\n6. When the \"Create Image\" window appears, click on the **Add** button
\n![14](https://assets.ine.com/content/ptp/lab_1_how_to_acquire_data/14.png)\n7. When the \"Select Image Type\" window appears, select **Raw (dd)** and **Next**
\n![15](https://assets.ine.com/content/ptp/lab_1_how_to_acquire_data/15.png)\n8. When the \"Image Destination\" folder appears, click the \"**Browse**\" button, navigate to our \"**Cases\\\\Case1-PolicyViolation**\" directory and then click **OK.**\n9. In the \"Image Filename\" field, type **\"hdd_serial_no\"** and then click **Finish.**\n10. When the \"Create Image\" window appears, click **Start** and wait for the image to finish.\n11. After the image file has been created successfully, click the **Close** button.\n12. Then, open Windows Explorer and navigate to **Cases\\\\Case1-PolicyViolation.**\n13. We should confirm that the following two files have been created:\n a. hdd_serial_no.S01\n b. hdd_serial_no.S01.txt (text file)\n14. Now you have an FTK Image file that can be opened and examined using AccessData's Forensic Toolkit (FTK) or any other forensic suite like Autopsy.\n\n## Task 5: Automated Live Response\nTo get started, open the \"**LiveResponseCollection-Bambiraptor**\" folder [C:\\DFP\\Tools\\LiveResponseCollection-Bambiraptor\\Windows_Live_Response]. Then:\n\n1. Go to the Windows Live Response directory.\n2. Double click on the \"**Windows Live Response Collection.exe**\" file.\n3. A window will appear, similar to the one below:
\n![17](https://assets.ine.com/content/ptp/lab_1_how_to_acquire_data/17.png)\n4. Reading through the description below each option, I will assume that it is clear to you what each one does. Also, I assume the difference between the first three options and the rest is clear too; if you have trouble figuring out what each does? Don't hesitate to ask your instructor.\n5. Now, just to do a quick test, let's use the third option titled \"**Secure-Triage**\" and then click the \"**Run Selected Windows Live Response Script**.\"\n6. It will take some time to complete and then you will be presented with a \"**Press any key to continue**.\" Before you press the Enter key; make sure you have recorded the key to open the encrypted 7zip archive. Without this key you won't be able to open the final archive; you have been warned.\n7. I recommend that you open the archive and check its contents. the 7zip is not installed and can be found here: C:\\DFP\\Tools\\LiveResponseCollection-Bambiraptor\\Windows_Live_Response\\Tools\\7zip", "solutions_html": "

Solutions

\n

Task 1: Collecting Volatile Data Manually

\n

First, connect to the Win10 machine using the credentials provided on page three and then, create a directory on the desktop named \"Cases.\" After that, inside that directory, create another directory named \"Case01-PolicyViolation\". All our work on the current case will be saved in this newly created directory.

\n

In this part of the lab, we will be running a couple of CLI commands to gather as much of the volatile information from the system as possible. The commands used in this lab are not the whole list of commands, but they are the most commonly used.

\n

Start your command line (cmd.exe); I assume you know how to do that? We will be redirecting all our command results the output to a file named \"liveIR-050517.txt\".

\n

[Note:] Make sure that you start using the double arrows \">>\" from the second command when redirecting your output to the \"liveIR-050517.txt\" file.

\n

The first command we will use is to store the date and time of the system.

\n
# echo %date% %time% > liveIR-050517.txt
\n\n

Now let's take a snapshot of the currently running tasks:

\n
# tasklist >> liveIR-050517.txt\n# tasklist /m >> liveIR-050517.txt\n# tasklist /svc >> liveIR-050517.txt
\n\n

Now let's take a snapshot of the currently available network connections:

\n
# netstat -nao >> liveIR-050517.txt
\n\n

Now, the currently available MAC addresses that are in the system's ARP Cache:

\n
# arp -a >> liveIR-050517.txt
\n\n

The system's network configuration:

\n
# ipconfig /all >> liveIR-050517.txt
\n\n

The DNS configurations:

\n
# ipconfig /displaydns >> liveIR-050517.txt
\n\n

Routing configurations:

\n
# route print >> liveIR-050517.txt
\n\n

What system variables have been set:

\n
# set >> liveIR-050517.txt
\n\n

System user information too:

\n
# net user %username% >> liveIR-050517.txt\n# net user >> liveIR-050517.txt
\n\n

The system's network shares:

\n
# net share >> liveIR-050517.txt
\n\n

General workstation information:

\n
# net config workstation >> liveIR-050517.txt
\n\n

And finally the general system information:

\n
# systeminfo >> liveIR-050517.txt
\n\n

Task 2: Dumping the System's Memory

\n

Acquiring a memory image using FTK Imager, is very simple and straightforward. To do that, follow the steps below:

\n
    \n
  1. First, make sure you open AccessData's FTK Imager [You can find it on the Desktop].
    2. \n
  2. Now go to File -> Capture Memory
    3. \n
  3. A window like the one below will pop-up.
    \n\"1\"
    4. \n
  4. In the \"Destination path:\" field, click on Browse and choose the\\ directory you created for this case \"Case01-PolicyViolation\".
    5. \n
  5. Under the case directory, make a new directory for the volatile data.
    6. \n
  6. In the \"Destination filename:\" field, make sure you name the memory as: Case1Memdump.mem

    \nNote: since we won't be going through memory forensics during this course, we can leave the pagefile.sys unchecked and not include it within our acquisition.

    7. \n
  7. When you finish all the steps above, click on the \"Capture Memory\" button.
    8. \n
  8. Wait until the acquisition is complete to move to the next step.
    9. \n
\n

Task 3: Creating a Custom Forensic Image

\n

In this lab, we will continue to use AccessData's FTK Imager to create an image file of specific system files to use for analysis. The custom image and files will be used to start the investigation process until a full system image comes through if possible. To create a custom forensic image, do the following:

\n
    \n
  1. First, start by opening FTK Imager. A window, like the screenshot displayed below, will appear:
    \n\"2\"
    2. \n
  2. Now either go to File -> \"Add Evidence Item\" or click on the first icon with a single green plus on it. Both will lead to the same as the window seen below
    \n\"3\"
    3. \n
  3. At this step, select the first choice titled \"Physical Drive,\" since we want to not only deal with the available files but even those that might have been deleted, and then click Next.
    4. \n
  4. From the drop-down list, make sure you choose the correct drive, especially if there are more than one drive on the system and then click Finish.
    5. \n
  5. Now, let's navigate inside the system and extract the files that we will be using for our analysis. Expand the second partition and make sure you are inside the \"[root]\" directory. You should see something similar to the image below.
    \n\"4\"
    6. \n
  6. I assume you are aware that the first partition is the one that Windows uses to store the system files (remember when installing Windows, the installer will create two partitions, a hidden reserved partition and the system drive \"C:\")
    7. \n
  7. Let's start the process of creating a custom image for the Windows system of our interest. Windows has different artifacts stored in different places. In this lab, if some of the artifacts that you will be extracting seem vague to you, don't worry, we will come to them later in the course and we will explain them in detail.
    8. \n
  8. \n

    The artifacts of interest can be categorized as:

    \n

    a. File System Files

    \n

    b. Windows Registry Files

    \n

    c. Recycle Bin Files

    \n

    d. Log Files

    \n

    e. Link Files

    \n

    f. User Files

    \n

    g. Task Files

    \n
    9. \n
  9. \n

    The first artifacts we will add to our custom image is the file system files: $MFT, $LogFile, $UsnJrnl. The first two files $MFT and $LogFile can be found immediately on the root of the file system (directly under the C:\\ drive). Select the first file, then press the \"Ctrl\" key and select the other. Now, right click on the selection and choose \"Add to Custom Content Image (AD1)\". The figures below both represent the actions that have been done.
    \n\"5\"\n
    \n\"6\"\n

    \n
    10. \n
  10. \n

    Navigate to \"C:\\Windows\\System32\\Config\" and select the files below, then add them to the custom image the same way by right-clicking on -them and \"Add to Custom Content Image (AD1)\":

    \n

    a. SAM

    \n

    b. SYSTEM

    \n

    c. SOFTWARE

    \n

    d. SECURITY

    \n

    e. DEFAULT

    \n
    11. \n
  11. \n

    Now, navigate to the \"C:\\Windows\" directory and, right-click on the \"Tasks\" directory and add it to the custom image.

    \n
    12. \n
  12. Now, let's select the Recent File Cache which we can find under the directory \"C:\\Windows\\AppCompat\\Programs\" named \"RecentFileCache.bcf.\" [Skip this if you can't locate it on the Win10 machine]
    13. \n
  13. Now, let's take a copy of the \"setupapi.dev.log\" file which is found under the \"[root]\\Windows\\inf\\\" directory.
    14. \n
  14. Now, let's take a copy of all the Windows link (.lnk) files and log **(.evtx) files. On the low left corner of the FTK Imager there is a button \"*New,\" click it. A wildcard selection ** will be created.
    15. \n
  15. Now select the wildcard entry in the \"Custom Content Sources\" window, and click on the \"Edit\" button.
    16. \n
  16. Since we are interested in the .lnk files, so make sure you have \"*.lnk**\" in the white filed.
    17. \n
  17. Also, make sure the \"Ignore Case\" and \"Match All Occurrences\" are both selected. Then click Ok. By selecting this, it will search all of the drive for any matching occurrences and add it to the image file. With such an option, even if you don't know the exact location of the files, and all you know is the file extension, then FTK Imager will do the rest for you.
    \n\"7\"
    18. \n
  18. Do the same for the log files (.evtx) and then move on.
    19. \n
  19. Now, let's extract some user artifacts. Navigate to the user of interest and then right-click on the directory and add it to the custom image. Repeat this process for all the users you are interested in investigating.
    20. \n
  20. Now, we have all the files we need for our custom image, let's move on and create the image. In the low left corner, you can see a \"Create Image\" button, click it.
    21. \n
  21. A window similar to the one in the figure below will appear.
    \n\"8\"
    22. \n
  22. Now, click the \"Add\" button. A Window similar to the figure below will appear.\n\"9\"
    23. \n
  23. Now, fill in the fields properly and when you finish click the Next button to proceed.\n a. Case Number: write the number of this case.\n b. Evidence Number: write the number which is used to represent this evidence.\n c. Unique Description: write what is unique about the evidence in this case.\n d. Examiner: write your name\n e. Notes: write any useful notes related to the evidence.
    24. \n
  24. In the new window, select the destination that you want to use to store your evidence. Usually, this will be an external drive, or a drive wiped for evidence usage. For this lab, we will be using a location on our system for storage. The figure below represents the new window.
    \n\"10\"
    25. \n
  25. Click on the Browse button and choose the same location you used to store the memory (the Cases\\Case1-PolicyViolation directory).
    26. \n
  26. In the \"Image Filename\" field, give the image a name. For example: triage_image.
    27. \n
  27. Leave the Image Fragment Size in this part of the lab to its default size \"1500\" and even the Compression ratio.
    28. \n
  28. Now, since handling digital evidence must be done properly and securely, or you might violate or jeopardize the privacy of the suspect, make sure you select the \"Use AD Encryption.\" After that, click Finish to proceed.
    29. \n
  29. A new window prompts you to enter the password that will be used for this evidence image. Use the password DFIR4AB2016 then click Ok. (Note: if you forget the password, then you're on your own, especially if you choose to use another password).
    30. \n
  30. Before pressing Start, there is another useful option to select \"Create a directory listing of all files in the image after they are created.\" Make sure you select it and then click Start. Wait until the imaging process is finished.
    31. \n
  31. When the imaging process is complete, make sure that the imaging was successful. You can verify that by checking for the computed and reported hashes. They both must show a \"Match\" just like the figure below.
    \n\"16\"
    32. \n
  32. Close all the windows, but the last one where you will find an \"Image Summary\" button. Check the results there.
    33. \n
  33. After finishing the imaging process, in order to explore the contents, we will need to mount the forensic image. This will be done in lab #3.
    34. \n
\n

Task 4: Creating a Full System Image

\n

In this task, we will be showing you how to use AccessData's FTK Imager to create a full image file of the entire hard disk drive.

\n

We remind you that for performance reasons you are not required to take a forensic image of the machine's C: drive; this would take hours to complete, and there is not enough space to save the forensic image. This task's purpose is to show you how you could take a forensic image of a machine's entire disk, in a step-by-step manner.

\n

To complete this task, do the following steps:

\n
    \n
  1. Make sure you have started the Access FTK.
    \n\"11\"
    2. \n
  2. We are taking a forensic image of the \"C:\" drive.
    3. \n
  3. In FTK Imager, choose File from the drop-down menu and then, \"Create Disk Image.\"
    4. \n
  4. When the Select Source window appears, select \"Physical Drive\" and Next.
    \n\"12\"
    5. \n
  5. When the Select Drive window appears, click on the drop-down menu and select the drive letter of the C: drive, for example, \"\\\\.\\PHYSICALDRIVE1\" and then click Finish.
    \n\"13\"
    6. \n
  6. When the \"Create Image\" window appears, click on the Add button
    \n\"14\"
    7. \n
  7. When the \"Select Image Type\" window appears, select Raw (dd) and Next
    \n\"15\"
    8. \n
  8. When the \"Image Destination\" folder appears, click the \"Browse\" button, navigate to our \"Cases\\Case1-PolicyViolation\" directory and then click OK.
    9. \n
  9. In the \"Image Filename\" field, type \"hdd_serial_no\" and then click Finish.
    10. \n
  10. When the \"Create Image\" window appears, click Start and wait for the image to finish.
    11. \n
  11. After the image file has been created successfully, click the Close button.
    12. \n
  12. Then, open Windows Explorer and navigate to Cases\\Case1-PolicyViolation.
    13. \n
  13. We should confirm that the following two files have been created:\n a. hdd_serial_no.S01\n b. hdd_serial_no.S01.txt (text file)
    14. \n
  14. Now you have an FTK Image file that can be opened and examined using AccessData's Forensic Toolkit (FTK) or any other forensic suite like Autopsy.
    15. \n
\n

Task 5: Automated Live Response

\n

To get started, open the \"LiveResponseCollection-Bambiraptor\" folder [C:\\DFP\\Tools\\LiveResponseCollection-Bambiraptor\\Windows_Live_Response]. Then:

\n
    \n
  1. Go to the Windows Live Response directory.
    2. \n
  2. Double click on the \"Windows Live Response Collection.exe\" file.
    3. \n
  3. A window will appear, similar to the one below:
    \n\"17\"
    4. \n
  4. Reading through the description below each option, I will assume that it is clear to you what each one does. Also, I assume the difference between the first three options and the rest is clear too; if you have trouble figuring out what each does? Don't hesitate to ask your instructor.
    5. \n
  5. Now, just to do a quick test, let's use the third option titled \"Secure-Triage\" and then click the \"Run Selected Windows Live Response Script.\"
    6. \n
  6. It will take some time to complete and then you will be presented with a \"Press any key to continue.\" Before you press the Enter key; make sure you have recorded the key to open the encrypted 7zip archive. Without this key you won't be able to open the final archive; you have been warned.
    7. \n
  7. I recommend that you open the archive and check its contents. the 7zip is not installed and can be found here: C:\\DFP\\Tools\\LiveResponseCollection-Bambiraptor\\Windows_Live_Response\\Tools\\7zip
    8. \n
", "flags": [], "min_points_to_pass": null, "access_type": "default", "user_status": "unstarted", "user_lab_status": null, "user_status_modified": null, "user_flags": [], "global_running_session": null }