Pages

Tuesday, November 16, 2010

Sleepwaking

No, the title of this post is not in error.  I don't mean "sleepwalking."  I meant what I said: sleepwaking.

Those who know me know I am a proponent of "previewing" computers for content before conducting a full forensic exam.  There are many reasons for this including the most common purpose: triage.  Previewing entails booting the computer with a forensic boot disc such as CAINE which prevents writes to the media being examined, and examining the file system(s) on the attached storage devices for evidence related to the investigation.

There are, of course, limitations to Previewing approach that I won't discuss here, But there is a danger that I feel must be discussed: Previewing the computer that is in a sleep or hibernated state which is commonly (but not exclusively) found in laptop computers.  Dropping a forensic boot disc into the CD drive (or using a USB incarnation) will not prevent the computer's operating system from running and changing data on storage device.  So, what is a person to do?

For sake of this discussion, envision a laptop computer with a single internal hard disk drive with an Windows operating system in a hibernated state.  Booting the computer after inserting a forensic boot disc will NOT preserve the data on drive, because the BIOS detects the hibernated state and begins restoring the contents of the hyberfil.sys file to RAM and restores the operating system to a running state.  If you interrupt this restoration, quickly enough, you will find that the data on the hard disk drive hasn't changed, but metadata (access times) will be changed.  Depending on the version of Windows installed, you still may not get a boot selection screen the next time you boot (Windows 7 comes to mind).

The best practice in my experience is as follows:

  1. remove the hard drive from the computer.
  2. insert your forensic boot disc .
  3. boot the computer and access the BIOS or boot selection menu (ensure you can select the boot disc as the boot device)
  4. reinstall the hard disk drive.
  5. reboot the computer and boot into your forensic environment.  The BIOS will not now automatically attempt to restore the resident OS from hibernation.
And don't forget that the hibernated system has saved what is essentially a RAM image in the hyberfil.sys.  I guess that's what you call a "twofer."  It takes a different shape in Macintosh and Linux systems, but RAM contents are available in those hibernated operating systems, too.

Of course, true "sleeping" is different than hibernation, though the line has been blurred since Windows Vista.  A true "sleep" state suspends the computer, preserving the running state by providing power to RAM in order to retain data.  It is usually indicated by a flashing power light and the data disappears scant seconds after loss of power.  On the other hand, Windows Vista introduced "Fast Sleep" that also saves the RAM content to hard disk in conjunction with providing power to the RAM.  The investigator will have to make his/her own decisions based on the details of the investigation on how to handle a sleeping computer (e.g, wake it and save volatile memory before shutting down the system or abandoning the RAM contents by pulling the drive).

1 comment:

  1. Good article...but I have always did the procedure you wrote: remove the hard drive from the computer, insert your forensic boot disc, Bios, etc. etc.
    Not only to prevent the awaking from a "sleeping" state, even if there is a normal shutdown state, because if the computer starts from the first hard disk instead of the cd-rom drive, you'll see the Windows logo on the screen instead of Caine logo :-DDDD

    ReplyDelete