Forensics – Collecting Volatile Data

Under the principle of “order of Volatility”, you must first collect information that is classified as Volatile Data (the list of network connections, the list of running processes, log on sessions, and so on), which will be irretrievably lost in case the computer is powered off.

This category includes the following data:
1.System uptime and the current time
2.Network parameters (NetBIOS name cache, active connections, the routing table,and so on).
3.NIC configuration settings
4.Logged on users and active sessions
5.Loaded drivers
6.Running services
7.Running processes and their related parameters (loaded DLLs, open handles, and ownership)
8.Autostart modules
9.Shared drives and files opened remotely

Recording the time and date of the data collection allows you to define a time interval in which the investigator will perform an analysis of the system:
(date / t) & (time / t)>%COMPUTER_NAME% \ systime.txt
systeminfo | find “Boot Time” >>% COMPUTERNAME% \ systime.txt

The last command allows you to show how long the machine worked since the last reboot. Using the %COMPUTERNAME% environment variable, we can set up separate directories for each machine in case we need to repeat the process of collecting information on different computers in a network.
In some cases, signs of compromise are clearly visible in the analysis of network activity.

The next set of commands allows you to get this information:
nbtstat -c > %COMPUTERNAME%\NetNameCache.txt
netstat -a -n -o >%COMPUTERNAME%\NetStat.txt
netstat -rn >%COMPUTNAME%\NetRoute.txt
ipconfig / all >%COMPUTERNAME%\NIC.txt
promqry >%COMPUTERNAME%\NSniff.txt

The first command uses nbtstat.exe to obtain information from the cache of NetBIOS. You display the NetBIOS names in their corresponding IP address. The second and third
commands use netstat.exe to record all of the active compounds, listening ports, and routing tables. For information about network settings, the ipconfig.exe network interfaces command is used. The last block command starts the Microsoft promqry utility, which allows you to define the network interfaces on the local machine, which operates in promiscuous mode. This
mode is required for network sniffers, so the detection of the regime indicates that the computer can run software that listens to network traffic.

To enumerate all the logged on users on the computer, you can use the Sysinternals tools:
psloggedon -x >%COMPUTERNAME% \ LoggedUsers.txt
logonsessions -p >> %COMPUTERNAME%\LoggedOnUsers.txt
The PsLoggedOn.exe command lists both types of users, those who are logged on to the computer locally, and those who logged on remotely over the network. Using the-x switch, you can get the time at which each user logged on. With the -p key, logonsessions will display all of the processes that were started by the user during the session.It should be noted that logonsessions must be run with administrator privileges.

To get a list of all drivers that are loaded into the system, you can use the
drivers.exe utility:
The next set of commands to obtain a list of running processes and related information is as follows:
tasklist / svc>%COMPUTERNAME% \ taskdserv.txt
psservice>%COMPUTERNAME% \ trasklst.txt
tasklist / v>%COMPUTERNAME% \ taskuserinfo.txt
pslist / t>%COMPUTERNAME%\tasktree.txt
handle -a>%COMPUTERNAME%\lsthandles.txt
The tasklist.exe utility that is made with the / svc key enumerates the list of running
processes and services in their context. While the previous command displays a list of
running services, PsService receives information on services using the information in the registry and SCM database. Services are a traditional way through which attackers can access a previously compromised system. Services can be configured to run automatically without user intervention, and they can be launched as part of another process, such as svchost.exe.
In addition to this, remote access can be provided through completely legitimate services, such as telnet or ftp. To associate users with their running processes, use the tasklist / v command key. To enumerate a list of DLLs loaded in each process and the full path to the DLL, you can use listsdlls.exe from SysInternals. Another handle.exe utility can be used to list all the handles, which are open processes.
This handles registry keys, files, ports, mutexes, and so on. Other utilities require run with administrator privileges. These tools can help identify malicious DLLs that were injected into the processes, as well as files, which have not been accessed by these processes.

The next group of commands allows you to get a list of programs that are configured to
start automatically:
autorunsc.exe -a>%COMPUTERNAME% \ autoruns.txt
at>%COMPUTERNAME% \ at.txt
schtasks / query>%COMPUTERNAME% \ schtask.txt
The first command starts the SysInternals utility, autoruns, and displays a list of executables that run at system startup and when users log on. This utility allows you to detect malware that uses the popular and well-known methods for persistent installation into the system. Two other commands (at and schtasks) display a list of commands that run in the schedule. To start the at command also requires administrator privileges. To install backdoors mechanisms, services are often used, but services are constantly working in the system and, thus, can be easily detected during live response. Thus, create a backdoor that runs on a schedule to avoid detection. For example, an attacker could create a task that will run the malware just outside working hours.

To get a list of network share drives and disk files that are deleted, you can use the
following two commands:
net share>%COMPUTERNAME%\drives.txt