A Framework for Live Forensics

Current techniques used by forensic investigators during incident response and search and seizure operations generally involve pulling the power on suspect machines and performing traditional dead box post-mortem analysis on the persistent storage medium. These cyber-forensic techniques may cause significant disruption to the evidence gathering process by breaking active network connections and unmounting encrypted disks. In contrast, live forensic tools can collect evidence from a running system while preserving system state. In addition to collecting the standard set of evidence, these tools can collect evidence from live web browser sessions, VPN connections, IM and e-mail. Although newer live forensic analysis tools can preserve active state, they may taint evidence by leaving footprints in memory. Current uses of live forensics in corporate incident response efforts are limited because the tools used to analyze the system inherently taint the state of disks and memory. As a result, the courts have been reluctant to accept evidence collected from volatile memory and law enforcement has been reluctant to use these techniques broadly. To help address these concerns we present Forenscope, a framework that allows an investigator to examine the state of an active system without inducing the effects of taint or forensic blurriness caused by analyzing a running system. Forenscope allows an investigator to gain access to a machine through a forced reboot. The key insight that enables this technique is that the contents of memory on many machines are preserved across a warm reboot. Upon reboot, Forenscope patches the OS state in residual memory to kill screen savers, neutralize anti-forensics software and bypass other authentication mechanisms. We show how Forenscope can fit into accepted workflows to improve the evidence gathering process. Forenscope fully preserves the state of the running system and allows running processes, open files, encrypted filesystems and open network sockets to persist during the analysis process. Forenscope has been tested on live systems to show that it does not operationally disrupt critical processes and that it can perform an analysis in less than 15 seconds while using only 125 KB of conventional memory. We show that Forenscope can detect stealth rootkits, neutralize threats and expedite the investigation process by finding evidence in memory. The techniques developed in Forenscope belong to a broader class of volatile forensic techniques that are becoming increasingly important in the face of new privacy measures and changes in the way storage systems are built. We are starting to see the limitations of traditional forensic approaches emerge as users shift to using more networked services, privacy guard software and non-magnetic storage technologies such as NAND and phase change memory that do not exhibit the same data residue properties as traditional disks. These trends help motivate the development of more sophisticated forensic techniques.