Recovering Live System Artifacts with IEF

This is the third blog post in a series of six about the new features included in IEF v6.5

The collection of volatile data has become an essential component of a forensic examiner’s processes. While traditional forensic practices have always focused around avoiding any modification of evidence in order to preserve the integrity of the data, this is no longer an option for many investigations. Capturing memory and other live system artifacts is essential to understanding the activity on a system, and can sometimes be the only source of relevant evidence for a case.

Many times, I have worked on malware or intrusion cases where the only evidence found on a live system was in memory. If I had followed the traditional forensic practices of shutting down the computer, I would have destroyed the only clue to understanding how the infection took place.

Internet Evidence Finder (IEF) has had a Triage product for quite some time to assist in analyzing live systems when working in the field.  New with version 6.5, IEF’s Triage capabilities have been re-packaged as an add-on module that includes even more functionality (including the recovery of live system artifacts) that can assist investigators perform live system forensics and collect and analyze volatile evidence.

When it comes to live system artifacts, IEF can now collect data for any logged on user, network connections and interfaces, running processes, scheduled tasks, and services.

Logged On Users

The first live artifact that we’re going to look at is “Logged On Users”. As the title suggests, this will report details on any users that are logged into the system when the search was conducted. IEF will report the following information:

1. Account Type
2. Account Status (eg. Disabled, locked out, local or domain,
3. Domain (or hostname if not connected to a domain)
4. User name (first and last)
5. The user’s SID
6. Logon Type
7. Password Information (Change, Expire, Required)
8. IP Address
9. Installed Timestamp
10. Last Login Timestamp
11. Artifact capture Timestamp

Network Connections

Next, we have network connection which can be quite valuable when investigating malware or intrusion cases. IEF will report all TCP and UDP connections for any IPv4 and IPv6 interfaces found on the system. Both the local and remote IP and ports are reported along with the state, process, and program that is using the connection.

Network Interfaces

The next artifact is Network Interfaces. IEF will list all network adapters found on the system including Ethernet, wireless, Bluetooth, virtual adapters, and many others. The example below shows the details that are reported by my local Ethernet adapter. Depending on the type of adapter, IP addresses, MAC addresses, and DHCP settings (including gateway, DNS, and lease timestamps) are all reported in a clean, easy to sort manner.

Running Processes

Running processes are another excellent artifact when investigating a malware or intrusion case. IEF will report the process, description, path for the executable, process and parent process IDs, user, timestamps, and several other artifacts of potential value to investigators.

Scheduled Tasks

IEF will also list all the scheduled tasks which are reported by a Windows system. Below you can see that it will collect the following items:

1. Task Name
2. A description of the task
3. The status of the task
4. The trigger or frequency of the selected task
5. Timestamps for the next and last run date
6. Results for the last time the task was run
7. The action to be performed
8. The privilege level for the task
9. Additional options and settings
10. Whether the task is hidden or not
11. Who created the task
12. When the task was created

Services

Finally, we have services. IEF can now report on any services on the system and their current status. Pairing this information with the other live artifacts previously mentioned helps identify unknown activity on a user’s system.

With support for these new live artifacts, examiners will be able to collect more volatile data quicker, and avoid running multiple tools when triaging a live system. By grouping many of these artifacts together, investigators can piece together events for an incident to understand how a potential intrusion occurred. For example, by identifying an unknown network connection and linking that to a given process, investigators can easily discover potential malware.  Or, by looking at the scheduled task which is a common persistence mechanism, examiners can identify how malware survives a reboot.

If you’d like to see all of the features of our new Triage Module, you can read more here.

Please let me know if you have any questions, suggestions or requests. I can be reached by email at jamie(dot)mcquaid(at)magnetforensics(dot)com.

Here are some related resources you might also be interested in:

1. Read the next blog in our series: Improved Analysis Features in v6.5
2. New to IEF: Request a 30-day trial
3. Current customers: Upgrade to IEF v6.5

Jamie McQuaid
Forensics Consultant, Magnet Forensics