Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


May 17, 2004

Performing Forensic Analyses, Part 1

The initial preparation
A Web Exclusive from Windows IT Pro
Matt Lesko
Feature
InstantDoc #42445
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
View this exclusive article with VIP access -- click here to join |
See More Security Articles Here | Reprints | Or sign up for our VIP Monthly Pass!

In "Building and Using an Incident Response Toolkit, Part 1," April 2004, InstantDoc ID 41900, and "Building and Using an Incident Response Toolkit, Part 2," May 2004, InstantDoc ID 42173, I discuss how to quickly and appropriately respond to a computer security incident. In this two-part article, I delve into the field of computer forensics and show you how to conduct an in-depth analysis of the compromised machine. The preparation for this analysis involves creating a bootable CD-ROM and duplicating the compromised machine's hard disk. You can then use several utilities to analyze the contents of that duplicate disk. Before I begin, however, let's quickly cover three basic forensic-analysis principles:

  • You must avoid changing any data on the corrupt machine. To preserve the data, you need to perform a forensic duplication of the compromised hard disk, verify that the duplicate disk is exactly the same as the original, then perform all the analyses on the duplicate disk. Most forensic tools are designed to work on duplicate disks to avoid changing any pertinent information (e.g., access times) on the compromised computer.
  • You shouldn't trust any programs or data on the compromised computer because the attack might have compromised them. By performing the forensic duplication, then using forensic tools on the duplicate disk, you avoid the use of potentially compromised programs and data.
  • You need to document the forensic duplication and analysis. One good documentation method is to create digital hashes of the compromised hard disk and the forensic image. If the hashes match, you've mathematically proven that the data hasn't been altered. You should also document the programs you run and their output. If you anticipate that the computer security case will go to court, you might consider having two parties document the forensic duplication and analysis.

Keeping these three principles in mind, let's look at how to create a bootable CD-ROM and how to make a copy of the compromised disk. Note that although these tasks involve running a few Linux commands, you don't need any prior knowledge of Linux to use the methods I describe. . . .


Already a VIP member?
Please log on to view the full article

Why become a VIP member?

VIP-only online access
VIP CD delivered twice a year: offline access to the entire Windows IT Pro article library
Monthly issue of your choice of Windows IT Pro or SQL Server Magazine

Subscribe Now
Top Viewed ArticlesView all articles
Battery Life Issues Almost Certainly Not Windows 7's Fault

While Microsoft is still investigating a notebook battery life issue that was supposedly caused by Windows 7, some interesting trends have emerged. ...

Confirmed: Battery Life Issues Not Windows 7's Fault

Microsoft on Monday issued a lengthy statement about the recent Windows 7 battery controversy, echoing my assessment from earlier in the day, but backing it up with hard, cold evidence. ...

Getting your iPhone to Sync with Exchange 2003

Follow these steps to use an iPhone with Exchange. ...
Related Articles Create a Live CD that Runs in Persistent Mode on a Bootable USB Drive

Security Whitepapers Reducing the Costs and Risks of Branch Office Data Protection

Solving Desktop Management Challenges in Healthcare

Solving Desktop Management Challenges in Education
Related Events The Increasing Threat of Financially Motivated Data Theft

Disk-to-Disk Grows Up

Managing IT Across Multiple Locations

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Collaborate with Confidence
Accelerate deployment and simplify Microsoft SharePoint management with EMC solutions and services.

Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Announcing Symantec Backup Exec 2010
With integrated deduplication and unified archiving technology.
Feb 25 - Are your IT Systems distributed? Or Convoluted?
Find out why integrated management solutions are more important than ever in today's IT environments and what criteria to consider when evaluating those solutions.

Virtualization Faceoff – Join the Discussion
Blogs, free poster, videos, community commentary – IT experts and peers face off on VMware & Microsoft virtualization solutions.

Should Your Email Live in the Cloud?
This Forrester report shows how-to calculate your on-premise email costs and compare with cloud-based alternatives and offers best practices for reducing email costs.

Exchange Server 2010: Deploying Unified Communications
register for this free virtual event and build your Unified Communications future on a strong Exchange Server 2010 foundation

New from Left-Brain.com - Manage VMware with PowerShell
Learn how to perform everything from simple ad-hoc reporting at the command-line to complex scripts that automate a massive deployment of hundreds of virtual machines.  Solve your old problems using less code than you thought possible!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2010 Penton Media, Inc. Terms of Use | Privacy Statement