Behind the Scenes of Forensics: Experiences from the trenches
15 May 2023 — Juan Carlos Sánchez
Windows Server Core Acquisition
Normally when a forensic acquisition is going to be made, we try to collect with the client prior information about the device to be analysed, based on this information a strategy is prepared to acquire the device in the most appropriate and effective way, although facing a forensic acquisition always holds last-minute setbacks that make it difficult to follow the strategy as is, and this time it was not going to be different…
Our goal was to acquire a more or less old Dell server with Windows Server 2016 with a Raid 1 configured, for this reason and for the type of case we were facing, we decided to take the path that usually entails less complications: Acquisition of the operating system volume through “FTK Imager”.
Once the day of the acquisition arrived, the surprise was capital when we verified that it was a Windows Server Core (What is Server Core? | Microsoft Learn), with which we could only interact through a console, automatically our main option was discarded for obvious reasons. At this point we had to rethink how to make the acquisition, and after exploring several options we diversified the strategy into three initial plans:
- Plan A: Try to use “FTK Imager command line”.
- Plan B: “CAINE” to carry out the acquisition from a live forensic.
- Plan C: Perform a triage of Windows artifacts, either with “KAPE”, “Hoarder” or manual if necessary.
The option of “FTK command line” was quickly discarded since this project was discontinued by Exterro, long ago and therefore we had to resort to plan B and obviously we were not going to play with old versions on unofficial internet sites .
We quickly downloaded Rufus and burned an ISO of “CAINE”, but as usual… the server decided not to recognize the bootable, neither in the USB 2.0 nor 3.0 ports. When this happens, all that remains is to look for a pendrive 2.0 and burn the ISO again… Some servers only like to boot with 2.0 drives.
Forensic tip: always carry a PEN 2.0 with you.
In this attempt the bootable if it was recognized by the server.
Once this setback was overcome we proceeded to make the acquisition with “CAINE”, everything seemed to be going well but there is always room for one more setback … “CAINE” was incompatible with the server’s RAID Controller and the block devices were not presented correctly, so we ruled out this option as well.
Initially, we had planned as plan C the triage of Windows artifacts. However, we made a conscious decision to avoid this approach, as it would undoubtedly compromise the overall quality of the acquisition process and subsequent forensic analysis. Consequently, we promptly shifted our focus towards exploring an alternative option that would enable us to proceed with the acquisition while maintaining the necessary standards. As a result, we diligently embarked on a priority investigation into this new avenue.
Looking for a new plan D
Since we wanted to guarantee a complete acquisition of the OS Volume that would give us freedom to investigate all those forensic artifacts that were necessary, as well as recover possible deleted data, we decided to look for a tool that would allow us to have this acquisition via command line, this is how we found a compiled version of “DC3DD” for Windows, which is a patched version of DD with forensic steroids. In principle the use of “DC3DD” in Windows is quite simple, you just have to download the binary (https://sourceforge.net/projects/dc3dd/files/dc3dd/7.2%20-%20Windows/) and acquire the physical or logical volume. But there is not much information available about the acquisition option, after a slight investigation on the libraries used by the tool, we found that you simply have to change the notation of calls to Linux systems type “/dev/sdx” to Windows notation of access to raw devices that we can find in this Microsoft documentation: (Naming Files, Paths, and Namespaces — Win32 apps | Microsoft Learn )
dc3dd.exe if="stands for input file" of="stands for output file" hash="MD5, SHA-1, SHA-256, and SHA-512" log="the destination for the logs"
- if — This is the drive we wanted to image, depending on the number of drives connected to your workstation.
- of — Destination of your image in RAW format.
- hash — “DC3DD” supports four hashing algorithms: MD5, SHA-1, SHA-256, and SHA-512.
- log — Destination for the logs. You will find the image version, image hash, and so on in this file once acquisition is completed.
But before being able to use this utility we must check the disks and volumes through the console with “DiskPart”, which is very simple to use as shown in the image.
Once we had all the necessary data to use “DC3DD”, we used this command with the following parameters:
dc3dd.exe if=\\.\C: of=H:\img001-c.dd hash=sha256 log=H:\img001-c.log
When the acquisition was completed, the hard disk on which the “.dd” had been written had to be removed from volume C of Windows Server 2016, which can be done with the following command:
mountvol D: /P
Based on the experience of this acquisition, during the “Lessons Learned” process, we worked on improving two technical points:
- “DC3DD”, although a great tool, has a basic problem, and this is the format of the evidence, since an acquisition in RAW format is not too portable and in large acquisitions, it can generate a problem. Therefore, we decided to publish for the community a version of the “Ewf-tools” tools as “Ewfacquire” or “Ewfverify” compiled for Windows x64 (alpine-sec/ewf-tools: Pre-compiled binaries of ewftools for windows x64 (github.com)) in order to have an alternative command line acquisition in E01 on Windows.
- Create a tool that allows remote acquisitions quickly, easily and if possible make it available to the community as an open source project… better. And so the “SPECTR3” project was born … Coming Soon!