TR-30 - Acquisition Support Tools for Local Incident Response Teams (LIRT)

TR-30 - Acquisition Support Tools for Local Incident Response Teams (LIRT)

Back to Publications and Presentations

  1. Overview
  2. Memory Acquisition: DumpIt
  3. Memory and Locked Files Acquisition: FTK Imager Lite
  4. Encrypted Disk Detector
  5. References
  6. Known hashes (MD5, SHA1) of the tools
  7. DumpIt
  8. FTK Imager Lite
  9. Encrypted Disk Detector
  10. Contact
  11. Classification of this document
  12. Revision

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is FIRST member

Overview

In addition to CIRCL TR-22 - Recommendations for Readiness to Handle Computer Security Incidents, TR-30 provides a list of evidence acquisition support tools which can be used by Local Incident Response Teams (LIRT). The tools can be used in order to gather forensic evidences from Microsoft Windows systems including memory, registry or other evidences.

We recommend to acquire evidences on the running systems, especially memory and registry evidences. In case of encrypted disks or hardware RAIDs, we recommend to do live disk acquisition before the shutdown of the system. If the system is not encrypted, we recommend an off-line disk acquisition, if possible with a write-blocker device. In order to test if a disk is encrypted, the EDD tool mentioned below can help you.

Memory Acquisition: DumpIt

Quick and easy command line tool to acquire a raw memory dump from 32- and 64-bit Microsoft Windows.

cd dumpit
dumpit.exe
-- Press y to write the memory dump into the working directory

Memory and Locked Files Acquisition: FTK Imager Lite

FTK Imager Lite is a GUI-based software to acquire disk images (in raw format, Encase format and their custom format) and registry of live systems.

Encrypted Disk Detector

EDD (Encrypted Disk Detector) command line tool to check for encrypted volumes (TrueCrypt, PGP, Bitlocker and others). If there are separated encrypted containers on the file-system, they won’t be detected.

cd d:\edd\
edd.exe /accepteula

References

Known hashes (MD5, SHA1) of the tools

DumpIt

84f0feb07beae896d471f45527d781b0  DumpIt.exe
5741af8cc8a4ded2780cb3f37ca29a5796c6d858  DumpIt.exe

FTK Imager Lite

31e5aac0a55f1e21a18f3b865b53ab5d  adefs.dll
0cc8f1988fa5d79ec794e817207bcc8d  adencrypt.dll
4c747364fa186e8a185a2ce4788ac5bf  adencrypt_gui.exe
f4c7a647b93103b299b297df9b72211e  adfs_globals.dll
27ca1c2d3ae287846656aaae9ca1c7b9  ad_globals.dll
5e3b1acd118b3f4ff24d3f233ff08403  ADIsoDLL.dll
d1ed1dba91c99457e5de19aa10308c19  ad_log.dll
0691501ec5944a10d8e168df08acfe40  adshattrdefs.dll
f76c7cf15b1367345612f4c28ca08ff9  boost_date_time-vc100-mt-1_49.dll
44ea7899c4365eae53c76de10a4c260f  boost_filesystem-vc100-mt-1_49.dll
7413463d15644ae28726edfaeb3a5d3e  boost_regex-vc100-mt-1_49.dll
37f62aca3d7b98c4f9f6a6ce32c25e64  boost_system-vc100-mt-1_49.dll
3df336d34539c7182daefd2eeab2b466  boost_thread-vc100-mt-1_49.dll
25dcd828d6d0050e0e798c331b0d003e  cximage.dll
113a76340bb536beb3cd75f7277b06d7  da7zip.dll
aa6c8e9233b43ea7ef013d0e3a071e7b  FTK Imager.exe
c147ff72fc16bdc9d429d1da93c9d23e  icudt44.dll
f2b8ffcd896300ebee95444fb34bc953  icuuc44.dll
93cdf7be2ecb3f4487356f9bfc364c1f  IsoBuster.dll
c7d1564d22c05525bd489e2554c8e2e5  libeay32.dll
624276eb0734c844b36c6f0ad42a6d5e  LMS.dll
9bbfb6ce8a731e2e69ce239049923576  MD5Remote.dll
f841f32ad816dbf130f10d86fab99b1a  mfc100u.dll
03e9314004f504a14a61c3d364b62f66  msvcp100.dll
67ec459e42d3081dd8fd34356f7cafc1  msvcr100.dll
7944a549c9304da74c76ab54627d1c31  ProfUIS293ad32.dll

f0d297e36fba1859cf20f476673056b047807b4d  adefs.dll
dcef46b7cc740a8067a032d1fcb98c20706c554a  adencrypt.dll
e0dad8509db60dfeb4a25d68bbf68ea1bd48f813  adencrypt_gui.exe
5e61915e9b221840ddf7e57eb7936609bef321a4  adfs_globals.dll
3ec30503307495980c9e58662d2ebe3f91924c4d  ad_globals.dll
2b500cb810a1e4a08225e01c24b3a00f078ae02b  ADIsoDLL.dll
c0d4804e853697fa7d51359c3055fe04d83ad6a5  ad_log.dll
0bc7b7852b1ee43c7fd5e808f49b49a97247748b  adshattrdefs.dll
e84ee9e7fd988303562535d18ab8d5ba4e1aa190  boost_date_time-vc100-mt-1_49.dll
94d97380a158ed7b9109b352bd7d642194b392fb  boost_filesystem-vc100-mt-1_49.dll
2a21800bab32b9fac0d503f92a25993f77e5479e  boost_regex-vc100-mt-1_49.dll
b9c61999f722469e0ba3a3c0425da27beb6b01f5  boost_system-vc100-mt-1_49.dll
db66dc76e1345c639e6cd1af58995a2973d9c68d  boost_thread-vc100-mt-1_49.dll
04baca6d1e87cc164abdbff3973b33ec01b3a9cc  cximage.dll
7ed8d9eef75dbb104a9465613f25b158871aa16a  da7zip.dll
c0a34f565cc62b6cffa08f7767f5722165e940f5  FTK Imager.exe
6e56bbe586b0aeb0fde0c91de893a9990917ae7a  icudt44.dll
1d187ca4284fcec10251deb6de88d898345acf38  icuuc44.dll
dd239f081cadbccea07397b2ea39fd94cbee5b16  IsoBuster.dll
f20fcd6b5443ec43af76bfa1d982241ed976da14  libeay32.dll
7a9228292a9f057dcdbbb1116ce04ec0613a1077  LMS.dll
d6dc36eee49332310a7d5fd8d73c0994bc6a726c  MD5Remote.dll
0f8b90814b33275cf39f95e769927497da9460bf  mfc100u.dll
0aa3caac24fdf9d9d4c618e2bbf0a063036cd55d  msvcp100.dll
1738050616169d5b17b5adac3ff0370b8c642734  msvcr100.dll
4a7f54cc8dba50f6429a337346f227a323d863c1  ProfUIS293ad32.dll

Encrypted Disk Detector

9d323d4f3a4dd548e72e92d20dc62878  EDD.exe
821f8b0f6d9449dfd3f22535d62e98374f6eabe3  EDD.exe

Contact

If you open an incident ticket and need more support regarding the forensic acquisition, feel free to contact us.

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.0 - TLP:WHITE - First version (included in the CIRCL incident response USB key)