Acquiring Digital Evidence on Windows Machines
Before acquiring digital evidence, there should be preparation first. Digital evidence should be stored on a external forensically wiped hard drive. Also tools that you need should be on another external storage medium. Or at least on a separate partition if you are using the same storage medium for evidence and tools. Also every change on the compromised host should be documented. So it can be comprehensible who, when and for what reason have done any changes on the host. This will ensure the chain of custody. Furthermore volatile memory should be acquired first. After that non-volatile memory should be acquired.
Volatile memory is memory that is lost after the machine has been shutdown. Examples of volatile memory are: RAM, ARP Cache, CPU Registers. Especially the RAM can contain lots of valuable information, e.g. running processes, network connections, encryption keys. So if possible the volatile memory should be part of a forensic examination.
To save the current state of the RAM, you will have to use special tools. Here is an overview of tools:
- AccessData FTK Imager: FTK Imager needs to be installed, preferably on an USB drive. Before downloading this tool you will have to register.
- WinPmem Memory Imager: This tool is open source and can be downloaded at https://winpmem.velocidex.com. This tool is a command line tool. To acquire a forensic memory image you will have to run the following command:
- Belkasoft RAM capturer
- Magnet RAM capture tool
Keep in mind that these tools can cause a blue screen on Windows. During my tests this happened when CPU virtualization was turned on in BIOS
Also Windows stores parts of the RAM on the hard drive. These files should also be acquired for a forensic analysis of the RAM:
%SystemDrive%\hiberfile.sys: This file is used to store the machine’s state as part of the hibernation process
%SystemDrive%\pagefile.sys: Paging of parts of memory that do not fit into physical memory
%SystemDrive%\swapfile.sys: This file is also used to store parts of the pyhsical memory
This files are hidden inside the Windows Explorer by default. Also these files can only be acquired during runtime by special tools, e.g. “FTK Imager”.
If you need to acquire memory of a virtual machine, it can be much easier. Most of the hypervisors store the RAM inside a file on the host machine. You should look for these files:
Also Virtual Machines are capable of taking a snapshot which contains volatile and non-volatile data.
Challenges during memory acquisition
- Tools need administrative access
- Windows is locked: This can be especially a problem for law enforcement. Because the suspect normally won’t given them access to the host. But there are some ways around it. You can use a DMA attack. Direct Memory Access always some hardware components direct access to the memory. Bypassing the CPU. This can be used to acquire the last 4GB of RAM. DMA is featured by FireWire, Thunderbird, PCMCIA, PCI, PCI-X and PCI Express. But operating system vendors are constantly evolving new security measures to make DMA attacks non possible. Another way to acquire RAM, while Windows is locked, is by utilizing a cold boot attack. This is a type of a side channel attack, where the system needs to be restarted. After the restart the computer boots into an operating system from a USB device. This operating system will acquire the RAM. With this method it is possible to get all the contents of the RAM. But you have to manipulate the machine’s state by restarting it. So make sure to document everything.
- Footprint of tools: These tools will leave traces. In a worst case scenario, this could delete some evidence. So always document what tools and when and why you have used these tools
- Can cause a blue screen
- Memory that is not lost after the machine has been powered off
- Examples: Hard drive, USB Sticks, SD Cards
- During acquisition it is a good practice to activate write protection. This can be done with software or hardware
- The target hard drive should be forensically clean
- Check integrity with hash functions
Forensic Image formats
- Raw: This is a bit-by-bit copy and is most used.
- Advanced Forensic Format (AFF): This is a special format for forensic images. It can utilize compression algorithms (e.g. zlib) and encryption. Also evidence specific metadata can be stored in this format
- Expert Witness Disk Image Format (EWF): This is a proprietary format of “Encase Forensics”. It is compressible and searchable.
- Physical Acquisition: This is a bit-by-bit copy of the hard drive. This type of copy can be read by any forensics software for analysis
- Logical Acquisition: This will only capture active data. That means unallocated space, file system data, deleted or hidden files will not be acquired. This is useful when there is not enough time for a physical acquisition
- Sparse Acquisition: This is like logical acquisition, but you also capture deleted files
- FTK Imager
- Pro Discover
- X-Ways Forensics
- Hardware Write Blocker of Tableau
Challenges during hard drive imaging
- Encrypted hard drive: For decrypting this hard drive the examiner needs the password. If there are any signs that the hard drive is encrypted, then do not shutdown the machine and try to acquire the evidence live.
- Corrupted / Damaged hard drive: Even though it is hard to acquire data from corrupted or damaged hard drives, it can be still possible. Law enforcement might have special labs to recover data from these hard drives
- Cloud Data Acquisition: Cloud computing have a dynamic nature and may be distributed through geographical places. There might be legal issues, when trying to acquire data from these hosts.
Triage Image Creation (Windows 10)
If there is not much time or you want to start as fast as possible, you can create a triage image. This image will only contain the most interesting files. After making a triage image it is a good practice to also make a full image of the hard drive. The triage image should contain the following files and directories:
- Obtain volatile data, especially RAM
- NTFS Meta Data Files:
- Recycle Bin:
- Users Dir:
- File System Transaction Journal:
- Master File Table:
- Windows Search Info:
- Amcache Registry Hive (Program execution evidence):
- Evidence of plugged in hard drives:
- Registry Hives:
\Windows\System32\config(DEFAULT, SAM, SECURITY, SOFTWARE, SYSTEM)
- Registry Backups:
- Log Files:
- Users Specifics:
- EVTX Logs:
- LNK Files:
- Prefetch Files:
- Directory Indexes:
If you want to collect these files and directories during file acquisition, you will need special tools:
- FTK Imager: for collecting non-volatile and volatile data
- Winpmem: For memory image
Useful Windows commands
- Getting SID that belongs to a user:
wmic useraccount get name,sid
- Digital Forensics and Incident Response, Gerard Johansen, 24. July 2017
- Digital Forensics Basics: A Practical Guide Using Windows OS, Nihad A. Hassan, 26. February 2019
- Fundamentals of Digital Forensics, Joakim Kävrestad, 20. May 2020
- Introduction to Windows Forensics