The FTimes Project The HashDig Project The WebJob Project The PaD Project
Location: / Home / FTimes / FTimes in Action / Evidence Collection
FTimes in Action
Live Systems

If you have reason to suspect that a system has been compromised, your first investigative action should not be a console review. If the system can be taken off line, you should take the necessary steps to halt the system, image the drives, and conduct your investigation on a working copy of the image.

This, however, may not always be possible. In that case you should follow a procedure that allows you to collect evidence based on its volatility. Obviously, memory and process space are most volatile. After this, you need to preserve time stamps, especially access, modification, and change times. FTimes let's you preserve time stamps before they are destroyed by curiosity, console review, or other tools that aren't sensitive to this issue. Information collected in this manner may be sufficient to determine the cause of a particular anomaly. If not, at least you have a snapshot of information that you can refer to later on in the investigation.

Imaged Systems

FTimes was originally written as a workbench tool. That is to say, it was specifically written to collect evidence from systems whose disks have already been imaged. In this scenario the image is restored as a working copy on a analysis platform, and mounted (read only) for review. FTimes, and other tools resident on the analysis platform, would then be configured to examine the mounted image.

Remote Systems

When FTimes scans a system, it needs a place to store its data. The controls, OutDir and LogDir, supply this information. Typically, OutDir and LogDir specify locations local to the system being scanned. In an evidence collection scenario, this is not desireable since writing output to the local system can destroy evidence. To bypass this potential problem, the practitioner can choose to mount a remote share, and set OutDir and LogDir accordingly. Then, as FTimes runs, its output will be written to the remote share.

Another way FTimes supports remote evidence collection is through its native HTTP/HTTPS upload capability. The FTimes distribution provides a CGI script, nph-ftimes.cgi, that can be used to receive snapshot data. The ability to automatically post snapshot data to a remote location can be very useful. For example, suppose that a company suspects that it is under attack, but there is no one onsite to conduct an investigation. In this situation a system administrator could run FTimes on the suspect system and post the data directly to a location where it may be analyzed. This can significantly reduce the amount of time needed to diagnose many breaches.


Copyright 2000-2014 The FTimes Project, All Rights Reserved.
The FreeBSD Project SourceForge Logo KoreLogic, Inc.