We left off at listing some of the bare minimum of artifacts needed to conduct analysis on systems that are suspected of being compromised. Before we get to tools there should be some discussion about "how" to get the artifacts.
The focus will be the acquisition of these artifacts on live systems. There are big differences in live and dead host acquisition, but right now I am focusing on live remote acquisition on an enterprise level.
So what do you need to do live remote acquisitions?
Network access:
Goes without saying, but if your enterpise has firewalls/host ips agents/ipsec/networking filtering/DACLs protecting hosts you will want to get some sort of pre-planned access capability. If you don't you will waste valuable time getting what you need... A little pre-planning here is key. Since we are talking about a Windows environment you will typically see systems with Windows SMB (a.k.a File & Printer Sharing) access. (IPC$).
Authentication:
In short, you'll need to be authenticated as a user with administrator privileges. Whether this is a domain admin account in the local admins group or local account, you need to have admin privileges to snag these artifacts. You'll also need that level access to connect to the box remotely.
- Side note: You are likely responding to compromised systems with elevated privileges across the organization, and when investigating these systems those credentials could become compromised themselves. You need to adjust accordingly and I suggest creating a privileged account that is only used for IR work and heavily defended: quickly expiring passwords, heavy logging alerts on it's use, etc...
For more info see a great post on the SANS Computer Forensics Blog about this very topic:
Protecting Privileged Domain Accounts: Safeguarding Password Hashes
So you have access and the rights. Now what?
At this point you've identified the target system, you have access, now you need to get the tools/scripts to the box. **depending on your tool(s). Some tools don't have remote capability so getting them on the target box is needed.
You can do this by manually mapping and copying, copying the files from a central repository, or even have them pre-deployed on the box. (I am not necessarily a fan of pre-deployment...considering your pre-deployed tools could be tampered with on the compromised system). Utilizing a central repository can give you control over the files but allowing the ability to pull the files down to the suspect system.
To actually run the tools you will need the ability to run commands remotely. To stay with the enterprise Windows environment, PsExec is an excellent tool for these type of operations. (do it securely though, depending on how you do it, it can pass the password in cleartext.) Consider launching a command prompt on the local system with the IR account, and then run PsExec. The remote process will run under the account PsExec was launched from, and in this case it will be the IR account.
