Products

OnLine Digital Forensic Suite™

The OnLine Digital Forensic Suite is next generation software for live computer investigations in networked environments.

We have designed OnLineDFS™ to fit the requirements of IT security professionals in corporations and government agencies, and computer investigators in law enforcement. For IT security and incident response professionals, OnLineDFS enables a rapid but forensically sound determination about whether an issue exists in a computer so that quick action can be taken to address the situation. Since OnLineDFS enables non-disruptive but forensically-sound examination and information-gathering, including from systems which are geographically remote from the investigator, it is an ideal tool for compliance auditing and e-discovery data collection. And because OnLineDFS does not rely on pre-installed agents, it is an excellent solution for law enforcement when called upon to conduct a live investigation, especially in a corporate or other networked computing environment.

To view the Frost & Sullivan 2009 North American Product Innovation Award that designated OnLineDFS as the award recipient in the field of computer forensics, click here.

OnLineDFS Functionality

OnLineDFS is structured to enable the capture, search and analysis of three major categories of data:

1. Volatile system state data;
2. Memory and registry data;
3. Persistent data.

Volatile data

The OnLine Digital Forensic Suite enables the rapid capture of volatile system state data, including running processes, open ports, process-port associations, open files, and much more. This large data set is organized for an investigator's review to gain a very quick understanding of the state of the system under investigation. This data is ideal for a triage assessment of the target computer, and is invaluable in formulating a plan for continuing the investigation.

For target systems that are running Windows operating systems, up to twenty nine unique state data categories may be acquired. Similar data is gathered from Unix and Linux targets (including the Mac OS). The investigator may select which of the data categories are to be acquired; nineteen of these are only available from a live system - this evidence is lost if the system is powered off. The selected data categories are acquired by order of volatility. The most volatile information, that most likely to change through normal operation of the target system, is acquired first, so that it is not affected by later acquisition elements.

For each of the selected data to be acquired, OnLineDFS makes a connection to the target system and sends a small transient utility to the target system. The transient utility gathers data and transmits it back to the data repository of OnLineDFS. Once this process is completed, the transient utility is automatically deleted and the connection to the target is ended. The process to acquire all twenty nine data categories from a Windows XP target system, for instance, usually takes approximately one to three minutes.

Memory and registry data

The data in memory and the registry are subject to constant changes while a system is in operation, and some registry values exist only on the running system.

The data contained in the registry is extremely useful to an investigator in attempting to determine the condition of the target. Having access to this data while the target system is live and running can provide invaluable insight to the investigator regarding what is running on the target, the applications which are installed on the target, most recently used files and applications, and much more.

OnLineDFS provides two methods to access the registry: browsing the registry; and acquiring the registry.

The "browse the registry" functionality enables the investigator to navigate through the registry and acquire specific registry keys and values in real-time. The investigator may navigate "up or down" the hierarchy of the registry or may jump directly to a specific key or value by using the "jump to key." OnLineDFS maintains a trail of links to facilitate navigation through the registry.

OnLineDFS captures and records in a log file all the information that is viewed by the investigator while browsing through the registry. This includes all keys and their contents and values and their contents. This data captured in a log file is viewable and searchable by the investigator as the investigation progresses.

Registry files are acquired by OnLineDFS directly from the target without utilizing the Windows remote registry service. This removes dependence on the target operating system and provides more reliability for the data that is captured. As a result, OnLineDFS can acquire registry data that would otherwise be restricted by the target operating system.

OnLineDFS enables the investigator to acquire the entire registry. After the registry has been acquired, it may be viewed in the OnLineDFS data viewer. The data is displayed as plain text and may be searched for strings or regular expressions. OnLineDFS formats the registry data using XML so that it is easily parsed for viewing and analysis with external third-party tools. Additionally, OnLineDFS can export the acquired registry data to the Microsoft Windows .reg format, which allows the data to be processed by the "regedit" tool, a standard Windows capability. The .reg file created by OnLineDFS uses the Unicode format that is supported by Windows 2000 or later.

The data contained in the memory of the target system is also very important to an investigator in determining the condition of the target system. Memory is volatile and constantly changing. Often artifacts from previously executed processes remain in memory for an extended period of time (days, weeks, months and even longer). Having immediate access to the memory while the system is live and running is a valuable capability.

OnLineDFS performs the memory acquisition as a background task. This allows the investigator to initiate the memory acquisition process, which will open in a new window, and continue to other aspects of the investigation. The investigator may view the progress of the memory acquisition until it is completed.

When acquiring memory, OnLineDFS creates an identical bitstream copy of the target machine's physical memory ordered by address. The data acquired is in the industry standard "dd" format, thus making it possible for memory acquired by OnLineDFS to be examined using third party tools.

Persistent data

Persistent data on the hard drive and other storage devices of a computer changes the least and is vital in conducting an investigation of a computer. Having access to the persistent data on a live, running system greatly improves the timeliness of access to this data compared to the traditional method of capturing a disk image and examining the image off-line.

OnLineDFS provides a comprehensive set of features to facilitate access to the persistent data on a live target system. These features include the ability to acquire files and directories; search for files and content without acquiring the data; examine unallocated and slack space; and even create a full image of the hard drive while the computer is in operation.

The "Browse File and Directory" feature provides the ability to browse directories on target machines and acquire the contents of individual files or entire directories. OnLineDFS calculates the MD5 hash value of any content acquired prior to its acquisition on the target machine. After the acquisition process is completed and the file has been transferred to the OnLineDFS machine, another hash calculation is performed and a comparison of the hash values is made to assure forensic integrity.

OnLineDFS also provides the ability to acquire a "Body File," which is a collection of file system metadata, such as file sizes and MAC times, for all files contained in a directory and all subdirectories. The body file acquisition feature is a powerful technique to acquire a great deal of detailed information about files and directories on the target system in a very brief period of time.

OnLineDFS provides an extensive capability to search for directories, files and content within files on the target system. The search options include searching by file name, contents, size, time stamps, owner, primary group, permissions, MDS checksum, type and locations. Search results contain links to acquire the file associated with the matched search result. No data is acquired from the target system during the search process.

A "Remote Disk Search" capability allows the investigator to perform low-level searches on target drives or partitions. This search is performed below the file system level, accessing all data contained on the target device, including slack, unallocated, and free space. This search will facilitate the identification of fragments of files that have been partially overwritten. OnLineDFS acquires a specified number of "context" bytes with each match. Context bytes are the number of bytes before and after a match that will be acquired in addition to the matched data. This aids the investigator in determining if the match is random or part of a larger file or fragment.

OnLineDFS provides the ability to perform a disk imaging operation of any storage device attached to the target system. Examples of types of drives and disks that may be imaged are hard drives, USB drives, zip drives, floppy disks, and CD's. The disk imaging operation creates a bitstream image of the storage device. The image is in "dd" format and is compatible with third party tools that may be used to analyze the image data.

The imaging operation runs as a background task in a separate window allowing the investigator to continue to perform other aspects of the investigation and to allow the imaging operation to run in an unattended mode. The investigator may view the status of the imaging background task to determine the length of time to completion.

Two types of disk imaging are supported by OnLineDFS: physical and logical. The physical image operation performs the imaging process on the entire physical drive selected on the target system. The logical image operation performs the imaging process on the logical volumes on the storage device selected by the investigator on the target system.

OnLineDFS Key Attributes

OnLineDFS is a broad and deep framework for rapid, to-the-point incident response, compliance auditing, and e-discovery. We provide an extensive array of data acquisition and analysis tools, excellent logging and reporting, and an open environment enabling the use of other tools to examine the data we gather.

These are the key attributes of OnLineDFS.

Examines running systems: The fundamental goal of OnLineDFS is to capture information from a running system. Unlike traditional disk imaging approaches, OnLineDFS captures volatile data - valuable information that is lost when traditional disk duplication approaches are used. This information includes open ports, running processes, related applications and files, network connections, listening servers, and memory. There are several vital benefits:

1. information is gathered about the running state of the target computer that cannot be gained any other way;
2. this information can be critical to determining the nature of a potential problem quickly and initiating the right corrective action in time to make a difference; and
3. this can be done without disrupting the operations of the target computer, potentially yielding substantial cost savings to the computer's owner.

Similarly, OnLineDFS optimizes the examination and capture of persistent data from a live, running system, ranging from the acquisition of a single file to taking an image of the entire running hard drive, to searching the logical or physical drives, to obtaining file metadata, and much more. OnLineDFS has been specifically designed to address the issues of examining and capturing persistent data from a live, running system. An investigation with OnLineDFS can be done without disrupting the normal operations and use of the target computer (unlike what happens when a target computer is taken out of service for imaging), potentially yielding substantial cost savings to the computer's owner.

Requires no preinstalled agents: OnLineDFS provides all software required to execute on the target at the time of the investigation. No pre-installed software of any kind is required on a target computer prior to the initiation of an investigation. Because a machine may be compromised, we do not trust the software on the target machine and instead provide our own clean versions. This includes statically linked binaries where applicable. The software does not overwrite the system binaries, but is placed in a temporary directory and later is deleted.

Provides an investigative methodology beginning with "triage" of the target computer, and then enabling an investigation to go in whatever direction the initial results lead: Because OnLineDFS is designed for use on running systems, the investigative framework assumes that the first decision an investigator must make is whether the information the investigator is seeking is actually present on the target computer. Therefore, the typical first step in use of OnLineDFS is to quickly collect volatile data on the current operations of the target. If this discloses possible problems or other evidence that the data being sought is on the target, then OnLineDFS provides tools to enable the investigator to dig deeper in a specific, focused way. While disk imaging is one of the functionalities offered, other data acquisition and data examination tools are offered as well; we do not presume that disk imaging is the solution to all investigative situations. We believe this is particularly pertinent to circumstances where data being examined is on large-scale network storage or a server running mission-critical applications where full disk imaging is impractical or disruptive.

Minimizes impact to and disruption of the target system: Because we are examining running systems, we want to minimize any disruption to the normal system operation (for many reasons which may range from avoiding tipping off a suspect to keeping a mission-critical server up and running). We also want to change as little as possible on the target to avoid impacting potential evidence. Any software we run is removed when its task is complete. The Initial Acquire (our term for the initial capture of an extensive set of volatile state data) typically takes less than a couple of minutes to run and adds no more than 5% load on the CPU. Processes are named so as not to stand out. Tasks that take longer, such as acquiring the entire registry or acquisition of memory, are kept separate from the first step of acquiring volatile information.

OnLineDFS is designed not to interfere with the operation of the running system. For instance, it does not disable writing to the disk or memory, as this would interfere with the target's operation (most likely crashing the system and impeding the investigation).

Operates as inconspicuously as possible: Minimizing the impact of OnLineDFS on the target has the parallel benefit of helping to keep OnLineDFS inconspicuous. As noted above, the initial acquisition of volatile data is very fast and difficult to notice. Little CPU resources of the target are utilized, and the impact on network utilization is well within routine fluctuations. OnLineDFS processes running on the target computer are small (60K or less), run briefly and are named not to stand out.

OnLineDFS is not invisible, however. Invisibility would require OnLineDFS to intervene in and alter the normal operations of the operating system of the target computer. We intentionally chose not to incorporate such techniques into OnLineDFS to avoid suspicion that the product could be used in improper ways to alter the target system.

Offers protection from unauthorized use: An OnLineDFS investigation requires credentials: administrative login password, system name or IP address of the target. This prevents misuse of the technology and protects the enterprise from unauthorized investigations.

Supports secure remote investigation: The investigator's time is a scarce resource. OnLineDFS was designed to increase the efficient use of this time. The web-based interface allows the investigator to connect from anywhere and conduct an investigation. The investigator can use a wide variety of web browsers and any OS platform and IP-based network that connects to the OnLineDFS. This connection does not need to be high speed. The web pages are small by design to facilitate communication between OnLineDFS and a remote investigator.

The connection to the investigator is secured through the use of secure http (https); all data sent across this connection is encrypted.

Adheres to forensic best practices: We have designed OnLineDFS with the following best practices in mind:

• Minimize evidence contamination. By storing evidence on an external, removable drive, we eliminate the possibility of evidence from one investigation contaminating another. We recommend that external disks are properly zeroed before use. In addition, analyses are performed on copies of the data to minimize the number of times evidence is read on the target system. OnLineDFS is designed to minimize interaction with the target machine.
• Work from copies of evidence. We perform analyses only on acquired data - that is, data that has been copied and resides in OnLineDFS storage. This allows us to maintain control of all acquired evidence. Data copied and stored on the OnLineDFS machine includes data from the target that resided on its internal disk as well as any external disk (including non-volatile memory sticks, etc.). Storing data on an external disk allows the investigator to isolate all the data relating to one case on one physical device.
• Record file MAC times: File MAC times, including the access time, are recorded before files on the target machine are read.
• Avoid duplication or overwriting of acquired data. OnLineDFS data is organized into "Cases," which consist of discrete "Inquiries." Many tasks can only be performed once in a given Inquiry, such as acquiring a particular file or getting a list of running processes. Because the target is a running system, processes and files in memory change over time. To avoid confusion about whether a specific action (e.g., acquire a file) should overwrite the previous instance, or whether an analysis applies to a current or previous action, we allow only one instance of a particular piece of acquired data to exist within each Inquiry.
• Gather evidence in order of volatility. The tasks in the initial data acquisition step (the "Initial Acquire") are performed in the order of volatility, with the most volatile data being acquired first.
• Preserve integrity of the evidence. The integrity of all acquired data is preserved through MD5 hashes. Hashes are computed both on the target and on OnLineDFS to ensure that no changes occurred during network transfer.
• Document all actions. All activities on OnLineDFS are logged. Each log entry includes the investigator, his location, the time, and the activity. For acquisitions, the activity is logged at the command line equivalent, including all flags and command line options. The log is periodically hashed, and the hash is appended to the end of the log.
• Maintain chain of custody for evidence. Because all evidence can be stored on an external, removable disk, existing practices to maintain chain of custody, such as evidence lockers with sign-in and sign-out procedures, can be applied.

Provides an easy-to-use user interface: The OnLineDFS web interface is simple and easy to use. Each page has context-sensitive help. All tables have a standard "look and feel." The overall flow of the web pages supports the order typically used by investigators. Whenever possible, essential information appears at the top of the page, in plain sight. For some pages, we provide automatic scrolling for pages that generate output that exceeds the viewing area. OnLineDFS does not require any special browser configurations, such as cookies, JavaScript, ActiveX, etc. The majority of the interface is text based. While this may give a more austere appearance, our experience is that investigators prefer content and fast response over intense graphic formatting and presentation.

Enables use of third-party tools: OnLineDFS data is stored in non-proprietary formats. This facilitates the use of third party tools to analyze data acquired during an investigation. Acquired disk images, for instance, are in the standard dd format, and thus can be analyzed using tools such as EnCase Forensic Edition or Access Data's Forensic Toolkit; raw data for which no standard exists are recorded in human-readable files or XML.