Chapter 2/ Overview of Anti-Forensics

Wondershare

To Crash Dump or Not to Crash Dump

If the machine being examined can be shut down, creating a crash dump file

might offer insight into the state of the system's internal structures. Kernel

debuggers are very powerful and versatile tools. Entire books have been writ¬

ten on crash dump analysis (e.g., Dmitry Vostokov's Memory Dump Analysis

Anthology).

This is definitely not an option that should be taken lightly, as crash dump

files can be disruptive. A complete kernel dump consumes gigabytes of disk

space and can potentially destroy valuable evidence. The associated risk can

be somewhat mitigated by redirecting the dump file to a non-system drive

via the Advanced System Properties window. In the best-case scenario, you'd

have a dedicated volume strictly for archiving the crash dump.

Postmortem Analysis

If tools are readily available, a snapshot of the machine's BIOS and PCI-

ROM can be acquired for analysis. The viability of this step varies greatly

from one vendor to the next. It's best to do this step after the machine has

been powered down using a DOS boot disk or a live CD so that the process

can be performed without the risk of potential interference. Although, to be

honest, I wouldn't get your hopes up. At the first sign of trouble, most system

administrators will simply flash their firmware with the most recent release

and forego forensics.

Once the machine has been powered down, a forensic duplicate of the

machine's drives will be created in preparation for file system analysis. This

way, the investigator can poke around the directory structure, inspect suspi¬

cious executables, and open up system files without having to worry about

destroying evidence. In some cases (see Figure 2.3), a first-generation copy

will be made to spawn other second-generation copies so that the original

medium only has to be touched once before being bagged and tagged by the

White Hats.

If the investigator dumped the system's memory at the beginning of the

live response phase, or captured the address space of a particular process,

or decided to take the plunge and generate a full-blown crash dump, he will

ultimately end up with a set of binary snapshots. The files representing these

snapshots can be examined with all the other files that are carved out during

the postmortem.

44 Part I