Monday, March 12, 2007

Imaging that remote PC/Server.....

So what better thing to do on a Monday morning then go through all the e-mails, blogs and news that has piled up this weekend, especially on a time change weekend. So I will try and keep this lite but I am sure it will raise questions. What I have for you today is a way I have found to do a remote image of a machine. The tools I will use are a simple batch file, Autoit, psexec and X-Ways Capture (Capture being the only non free tool but well worth the money). I will not go into very much detail about Capture except for just doing the image of the machine, it is worth looking at though as it has many features for live imaging and incident response as well.

I have uploaded a zip file with my autoit script and executable and a couple of batch files and it can be found here. What I do in a nut shell is psexec a batch file to the remote machine and execute it. I use the copy flag on psexec which copies the file to the machine to run it. From what I have tested, and I still need to do more but wanted to introduce this to everyone, this is what I have seen being changed:

1. Entry in $MFT for batch file and file stored in $MFT (file is only 111 bytes)
2. On Xp systems prefetch files are created for psexec.exe, batch file, capture.exe, net.exe.
3. Registry is updated.

Now for what I did. In the autoit script Remote_capture.exe I ask for the following fields to be filled in:

1. Remote computer's Name - Defaults to current machine name and will be name of machine to image.
2. Domain\Username - Domain (if any) and username to log onto, must be a administrator on that machine.
3. Password - Password of the account to login.
4. Capture Drive Mapping - Drive and unc path to where the capture software is.
5. Output Drive Mapping - Drive and unc path to where the output (image and logs) will go.
6. Capture executable directory - Directory on drive where X-Ways Capture Resides.
7. Capture output directory - Directory on drive where output will go.

There are 2 buttons to push, one is to show the mapped drives on the machine you are going to image which is helpful to make sure that you do not try and map the wrong drive, the other button is to start the process. Once all the information is filled in and you start the process here is what happens.

1. Batch file is executed to run psexec and pass it all the fields above as parameters which executes another batch file on the machine to acquire.
2. Batch file is copied to the remote machine and executed and does the following:

      1. Map the drive for the capture software.
     2. Map the drive for output to go to.
     3. Change directory to where the capture software is.
     4. Execute the X-Ways Capture and image the drive.
     5. Delete both drive mappings.

3. Batch file is executed to show drive mappings of the remote machine to show that they have been deleted.

That is it in a nut shell. I have tested this on a VM server, a remote pc and citrix and I have successfully imaged each machine and was able to import the image into X-Ways Forensics.

A few neat features of this are:

1. Autoit script and batch file can be give to administrator and shows that you are not doing anything out of the ordinary.
2. The passwords do not echo back so an administrator can type the password in for you so you do not need to know it (yes I know you can change the batch file to echo it but we have no need to do that).
3. When scripts run on remote machine no windows are opened and the only indication that anything is running is a couple of extra processes in the task manager and lots of disk activity.
4. If you really want to be slick you can rename the capture.exe program to svchost.exe (or something along that line) so if a user does look or the program abends it will look like a normal running program (I did abend the program and saw a error message pop up on the remote machine saying capture.exe abended).


Hope this helps. If it is not clear let me know and I will try and explain further.

Thought/Questions/Comments?

2 comments:

Anonymous said...

How well does Generic Viagra work? Studies show that Generic Viagra UK improves erections in more than 80% of men taking Generic Cheap Cialis 100 mg versus 24% of men taking a sugar pill.No other ED tablet is proven to work better.br

Kenny said...

eDiscovery just keeps getting more and more complex, which is why I leave it up to the professionals, like FTI.