Collecting locked files from Windows hosts with sleuthkit

Collecting locked files from Windows hosts with sleuthkit

When performing triage forensics in Windows computers full hard drive images are not obtained, instead only a small subset of files that can potentially have critical information are collected in addition to other volatile evidence. Triage analysis is much faster than collecting and analyzing a full forensic image and in many cases it allows to determine which hosts require a full forensic investigation and provide input for a deeper analysis. 

Unfortunately on Windows several files that contain critical evidence are locked by the operating system and cannot be copied through Windows API as most of the files on the computer. This is also true for some malware that implement the same mechanism. One of the options to copy such files is to power off the computer and boot it with a LiveCD/LiveDVD, or remove the hard drive of the computer and connect it to a write blocker to extract the files form other computer. But in many cases powering off the computer is not an option, such as when the computer is mission critical, or when encryption is used that would render the files inaccessible. To be able to collect these files while the computer is on, it is required access the files via raw instead of Windows API.

One of the tools that allows raw access to copy locked files is sleuthkit, as it is free to use and flexible. To copy the locked files we will first use ifind to determine the metadata address of the file to be copied and then run icat to dump the file. Make sure to include all sleuthkit dll files on the same folder that sleuthkit executables and to run it with elevated privileges. The syntax to run ifind and icat command is included below.

ifind.exe -n <file path> \\.\ <logical drive>

ifind will return the metadataAddress to be used in icat command

icat \\.\ <logical drive> metadataAddress

In the following example I show how to collect the system registry hive with this method.

Since sleuthkit does not use graphical user interface, it can be used in wrapper scripts in vbscript, powershell or any other language. With some automation you can collect all the files that you require, such as Window registry files, amcache and NTFS MFT files.