Should data from a corrupted workstation be transferred to a forensics laptop?

I've been building a forensics toolkit for my company. Some say that when dealing with a compromised Windows workstation, you should transfer information from the corrupted workstation to the forensics one. What are the benefits of this method, rather than putting the information in a USB pen drive or a Windows share on the forensics laptop?

As far as moving the data goes, you've basically given yourself three options:
  1. Simply transferring the information (I'll elaborate further)
  2. Using a USB token (often referred to as a "pen drive")
  3. Using a Windows share on the forensics laptop

I like to transfer data across the network to a forensics laptop (option 1) because it not only minimizes the impact on the infected machine itself, but it also lowers the chance of compromising the forensics laptop. Installing a USB token (option 2) will almost always force the system to load drivers, altering the kernel and software. While those alterations are likely not going to affect your evidence, I like to minimize any changes to the system.

In option 3, you suggest moving data across a Windows share to the forensics system. To do that, however, the forensics machine must have a Windows share available on the network, and to mount that share on the forensics laptop, you'll need to provide a user ID and password. Entering such credentials into a compromised system is a scary proposition and one that I'd avoid. You might be thinking,

    Requires Free Membership to View

"Why not just use guest access of a Windows share on the forensics laptop?" That scares me as well, since the chances are better that malware on the infected machine could spread uncontrollably to the forensics laptop.

That's why I prefer the first option, transferring data without using Windows shares. To send data across the network, I like to use Netcat, a free, general-purpose tool that uses TCP or UDP to move data between systems. Users can run a given command and pipe its output into a Netcat client, which can shoot the data across the network to a forensics laptop, where a Netcat listener waits for it and writes it into the file system. With a batch script file, Netcat easily and quickly gathers a whole bunch of data from a compromised machine. The chance of an attacker spreading malware across Netcat is very small indeed, far lower than via Windows shares.

To help automate the Netcat process, you can use Harlan Carvey's free Forensic Server Project (FSP), a great tool that automatically gathers and stores forensics data using the Netcat method described above. I highly recommend Carvey's brand-new book called Windows Forensics Analysis DVD Toolkit, which describes the important data in a compromised system. He also explains how to use scripts and the FSP to improve your abilities to gather and analyze data.

This was first published in February 2009

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.