Windows Forensics and Incident Recovery



Forensic Server Project

The Forensic Server Project (FSP) is a proof of concept tool for retrieving volatile (and some non-volatile) data from potentially compromised systems. The FSP consists of several Perl scripts and third-party utilities. The server component of the FSP is run on an investigator or administrator's system, and handles all data storage and activity logging. The client components (i.e., FRU.pl and supporting Perl scripts and tools) of the FSP are burned to a CD, and run from the CD drive of the potentially compromised system. Data is copied to the server component via TCP/IP.

It should be noted that while the FSP is used for incident response and forensic audits of Windows systems, it is also an open source project. The server component is written in Perl, and can be run from other systems that support Perl (with minor modifications). Client components can be written in Perl, or any other scripting language.

The First Responder Utility (FRU)

The First Responder Utility (FRU) is used by a first responder to retrieve volatile data from "victim" systems. The current version of the FRU is a CLI (command line interface) tool called FRUC. The FRUC operates using a combination of an INI file and command line options.

The first step to running the FRUC is to download the archive containing FRUC. Extract all of the files to the same directory, and update the fruc.ini file to suite your needs. To update the ini file, simply follow the format. The ini file should consist of the 4 sections listed in the file, and must contain a "Configuration" section. If the investigator/administrator has a static IP address for the Forensic Server, put it in the file, as well as the port to be used.

The "Commands" section consists of all of the tools that will be run on the system. When entering a tool to be used, follow the format in the ini file. The entry for each command must consist of a number, followed by the equals (=) sign, followed by the command to be run, a semi-colon delimiter, and the name of the file the data will be saved in on the Forensic Server (the filename will be prepended with the name of the system). The command to be run must point to a CLI tool and have all of the command line switches you'd like run.

Tools to be run with the FRUC can be found on the Tools page, as well as various other sites, such as SysInternals, NTSecurity.nu, DiamondCS, as well as others.

The "Registry Values" section consists of Registry values to be queried, while the "Registry Keys" section contains Registry keys (such as the ubiquitous Run key) that you want to pull all of the values (not subkeys) from. It is important that you use the right format in these sections. To get a list of Registry values and keys to query, such as startup locations, check sites such as Silent Runners.

NOTE: Be sure to read the 'readme' file that comes with the archive.

Once you have an INI file set up and all of the tools collected, you can burn fruc.ini, p2x584.dll, the INI file and tools to a CD, or USB-connected thumb drive. If you put the files on a CD, you can include a "clean" copy of cmd.exe and an autorun.inf file, or a batch file to launch the FRUC, if you so choose.

Using the FSP

The current version of the FSP is the FSPC, the command line (CLI) version of the Forensic Server Project. In order to use the FSPC, the first thing you need to do is download the FSPC zipped archive, and extract all of the files to the same directory. Type "fspc -h" to view the syntax for launching the FSPC.

The FSPC is the CLI version of the FSP, and handles the case management and storage of data when collecting data from "victim" systems. The FSPC, when launched, listens on a port for connections. When one of the FSP client components (ie, FRUC) connects to send data, the FSPC stores the data sent in files on the server system, generates hashes of the files, and maintains a logfile of all activities taken by the client component.

The simplest way to launch FSPC is with the following command:

C:\fsp\fspc -n newcase -i "Det. Joe Friday" -c

The above command will launch the FSPC on port 7070 (ie, default). The name of the case is "newcase", and a directory of that name will be created as a subdirectory within the case directory (ie, default is "cases"). The name of the investigator ('-i' switch) will be placed in the logfile (use '-l' switch; default is "case.log"). As the FSPC receives data from the client component, it will automatically store the data on the server system, and compute hashes for each file as they are created. If a client component is used to copy files from the victim system to the Forensic Server, the server will automatically verify the hashes of the files. The client components send items to be logged to the server, and these items are placed in the logfile. The last command that the client sends to the server is the "CLOSELOG" command, at which point the logfile is closed and hashes are computed for the logfile. If the '-c' switch is used, the server component will automatically shut down when the CLOSELOG command is sent. Otherwise, the server will remain open and the investigator must type "Control-C" to shut the server down.

NOTE: Be sure to read the 'readme' file that comes with the archive distribution.

If you have any questions or comments, contact me.







© 2004 H. Carvey