Blue Team-System Live Analysis [Part 10]- Windows: User Account Forensics- In-use and Locked Files Acquisition
Let’s Connect | LinkedIn | Twitter
One of the main challenges in live forensics is to deal with in-use or locked files and resources. Unlike the traditional forensics investigation, we are not making a full forensics image of the hard disk during system live analysis.
In fact, we are interacting with running and operational systems where numbers of files and resources may be in use by running process and cant be open with any tools. Thus, we would face the nursing message as below:
Are you wondering how this could be related to user account forensics? Let's review two important files [explained in part 8] that contain user activities and settings:
- NTUSER.DAT: This is the main registry hive for the users residing in the user account profile folder and contains the most valuable forensics data.
- UsrClass.dat: Just Like NTUSER.DAT, the UsrClass is another registry hive to obtained user-related information.
We cannot use standard copy and paste methods to copy the above files for the logged-in user during the live investigation as the files are in active use and protected.
What if we kill all the processes using a particular file to make it free and accessible?
Note: Rule number one in live analysis and digital forensics is to minimize the modifications in systems that are being investigated. Thus, we can't easily kill the process as we may affect the system's integrity and change forensics evidence.
How about retrieving the files from shadow copies? They are backups of Windows files and can be used to restore data when required!
Note: As explained earlier, shadow copies are amazing, but they are snapshots of a system at a particular point in time and may not fully represent the current state of files and resources. Besides, not all machines being investigated may have the shadow copies or restore point enabled.
Mmm… then what to do? There is a way, a forensics method, to acquire these types of files using FTK Imager. Let's do it…
1- Some Forensics Considerations
We can install the FTK imager on the victim machine and make a copy of the files. Still, forensically we are not supposed to install and copy anything on the system under investigation.
It’s highly suggested [as a best practice] to use external storage, which contains a copy of FTK imager, connects it to the system, makes a copy of files, and saves them into external storage.
The external storage must be forensically clean and completely free of any actual and residual data. This to avoid any data conflict between collected evidence and whatever data exist on the medium.
Moreover, it will help to ensure the external storage is malware-free to avoid any possible cross-contamination.
2- USB Storage Wipe
Delete, shift delete, fast format, format..? No, none of them sterilizes the storage forensically. In fact, the storage may appear empty, but the files will still be there and could be recovered. Why?
Because these techniques delete the file system only and make the files invisible rather than completely remove them from the storage. In contrast, the storage wipe operation overwrites the existing data with zeros or random data, ideally in several rounds.
- Manual Storage Wipe
A standard windows format comment combined with the parameter /p: can be used to wipe storage as follows:
format [Strorage Drive] /fs:[type of file system] /p:[Number of Rounds]
For instance, I would like to forensically wipe my USB drive with a drive letter of G with NTF format and overwrite every data sector with Zero for two rounds.
format g: /fs:NTFS /p:2
The above command does not support quick format; thus, we will need few packs of popcorn while we are waiting for the process to be completed[the more the round, the longer the process]
- CCleaner
We know the rules now; let's use some tools. There are numbers of tools out there that provide us with storage wipe function, and CCleaner is one of them, which provides us with 30 days free trial.
Note: Several other tools are available to wipe the storage mediums; we just need to validate their publisher to make sure they are reputable software.
3- FTK Imager Preparation
As our USB drive is ready, now it's time to install FTK Imager. Kindly note, there may be many other tools to use, but FTK image is one of the leaders in the forensics industry with a high reputation, and it's free.
FTK imager installation is pretty simple, and we just need to execute the binary and click a bunch of Next. However, as mentioned several times, we are not supposed to install the systems under investigation. Here is the trick…
Install the tool in your own system or any system dedicated to the investigation, and then copy and paste the installed folder to the forensically wiped USB.
Ready? 1…2…3… action…
4- Copy in-use / locked files
Now we can connect the USB drive to the target machine and run the FTK Imager.
- Select “Add Evidence Item” from the file menu
- Select the “Logical Drive” option as we are not going to image the entire hard disk
- Please select the desired drive where our targeted locked file is located. I selected drive C in this post. I'm going to make a copy of NTUSER.DAT.
- In the left side pane called Evidence Tree, we can navigate to the target folder. In this case, it's the user folder. We can view the NTUSER.DAT, NTUSER.DAT.LOG1, and NTUSER.DAT.LOG2.
- Select all the required locked files, right-click and choose export
- Done!
Stayed tuned … we gonna dive deep into user account activities investigation as we have a copy of the in-use NTUSER.DAT file in hand. We can use the same technique to acquire other registry files such as System, Sam, Security, Software, and Default.