Should data from a corrupted workstation be transferred to a forensics laptop?

If a Windows workstation is compromised, should the infromation be transferred to a forensics laptop? Or is it better to use USB pen drives or a Windows share? In this expert Q&A, Ed Skoudis explains the three options and decides which one is best.

This Content Component encountered an error
I've been building a forensics toolkit for my company. Some say that when dealing with a compromised Windows workstation, you should transfer information from the corrupted workstation to the forensics one. What are the benefits of this method, rather than putting the information in a USB pen drive or a Windows share on the forensics laptop?

As far as moving the data goes, you've basically given yourself three options:
  1. Simply transferring the information (I'll elaborate further)
  2. Using a USB token (often referred to as a "pen drive")
  3. Using a Windows share on the forensics laptop

I like to transfer data across the network to a forensics laptop (option 1) because it not only minimizes the impact on the infected machine itself, but it also lowers the chance of compromising the forensics laptop. Installing a USB token (option 2) will almost always force the system to load drivers, altering the kernel and software. While those alterations are likely not going to affect your evidence, I like to minimize any changes to the system.

In option 3, you suggest moving data across a Windows share to the forensics system. To do that, however, the forensics machine must have a Windows share available on the network, and to mount that share on the forensics laptop, you'll need to provide a user ID and password. Entering such credentials into a compromised system is a scary proposition and one that I'd avoid. You might be thinking, "Why not just use guest access of a Windows share on the forensics laptop?" That scares me as well, since the chances are better that malware on the infected machine could spread uncontrollably to the forensics laptop.

That's why I prefer the first option, transferring data without using Windows shares. To send data across the network, I like to use Netcat, a free, general-purpose tool that uses TCP or UDP to move data between systems. Users can run a given command and pipe its output into a Netcat client, which can shoot the data across the network to a forensics laptop, where a Netcat listener waits for it and writes it into the file system. With a batch script file, Netcat easily and quickly gathers a whole bunch of data from a compromised machine. The chance of an attacker spreading malware across Netcat is very small indeed, far lower than via Windows shares.

To help automate the Netcat process, you can use Harlan Carvey's free Forensic Server Project (FSP), a great tool that automatically gathers and stores forensics data using the Netcat method described above. I highly recommend Carvey's brand-new book called Windows Forensics Analysis DVD Toolkit, which describes the important data in a compromised system. He also explains how to use scripts and the FSP to improve your abilities to gather and analyze data.


This was first published in February 2009

Dig deeper on Microsoft security threat management

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSecurity

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

ComputerWeekly

Close