Summary Issues which may need general forensics Attention

back

One consideration to start with, is the current security settings and software load of the system. Windows reports system failure bug fixes each day and has for more than a decade. This is the nature of using Windows as an operating system to run applications in forensics. However, to the extent a machine system install yields spurious results or findings, it must be repaired within some guideline that makes common sense. It would not matter if there had never been a bug fix in ILook in the last 10 years, there is a bug fix to windows available to OEM’s and developers like Perlustro, every day. Many of these fixes can more than slightly affect forensics findings. Many others fix some things of relative unimportance, and in turn break things of major importance. The theory of a base windows “standard” operating system is, at its best – an impossible standard to attain with a guarantee. As developments occur in dev environments of windows, like Visual Studio, they presume the underlying system has in fact adopted bug fixes and changes in a never ending path of updates. That is the design of the OS itself. It is always in a state of upheaval and repair states, and it cannot be presumed otherwise.

Obviously any system incorporates an unknown number and quantity of patches not easily studied, although even knowing the patch history provides little comfort in answering the question – do I need to patch this OS in order to continue. We cannot give a definitive answer, but we do know it is better to reconcile problems without the never ending effects of patch changes. That presumes that at the time a major software installation like ILookIX takes place, you have fully reconciled these issues. You have either patched the system to a current status of acceptable performance, or you have decided it was already in that state and left it alone. Whatever the decision, one must contend with future updates in a cautious manner in forensics.

This would be a good time to consider bringing the machine OS and hardware OS dependent software up to date to provide a better backup image base. While just advice, it is a fact some solutions we have found over the years were the result of patches and others were problems induced by the patches. Almost every major MS patch creates some further problems. There is no perfect solution for either Microsoft or for Perlustro in this regard. Things change, new challenges arise and you must adapt to them or accept the facts as you find them. Such is the state of complex computer related tasks; as all dedicated forensics specialists find every work day.

http://support.microsoft.com/default.aspx/kb/913086 is a source you can use if your machine is NOT NET connected for updates, by providing a static download point of patch ISO files for security fixes for any windows version OS. They are released by month and are cumulative fixes. They are not necessarily service pack bug fixes but incorporate them in some cases. MS does not always list the bug fix additions to security patches, nor do they always incorporate a full and complete bug list for each patch change.

Defrag your system drive and any ILookIX control Point drives routinely, by using this instruction base:

Perfectdisk is a file system and MFT defrag utility supported by Microsoft which has a 30 day trial version: http://www.softpedia.com/get/System/Hard-Disk-Utils/PerfectDisk.shtml

Diskeeper is also an application which allows for boot time MFT defragmentation.

Under Vista, the system itself will defrag the MFT table and other historically non-defragable files. But, it will not move the MFT structure for optimum placement. It also runs as a background process with low priority, i.e it is not very fast.

Here, a word about MFT fragmentation is important because in some cases, if mismanaged, it can dramatically reduce your efficiency when working with extreme file numbers of temp deletions – certainly when you get into the tens or hundreds of millions of files. One ILookIX example case of a 110 gig boot drive derived 26 million entries just for Registry Hives. Similar numbers are not uncommon, even at the file system level.

It may be necessary, on a dedicated forensics drive, to expand the base MFT size itself. This can only be done SHORTLY after a system is installed.

An MFT can be too big if a volume used to have massive amounts of deleted files. The files that were deleted cause internal holes in the MFT. These holes are significant regions that are never used by existing files. It is impossible to reclaim this space using normal utilities. http://support.microsoft.com/kb/174619

A more optimum forensics setting for a boot drive, as well as an ILookIX Data Control Point drive where you store ILookIX working set data, is to increase the default MFT size expansion value from 12.5% of the diskspace available, to 25%. This does NOT mean it consumes that much space when the change is made, but it does mean it reserves the space for the MFT’s growth and expansion.

Using regedit, expand the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
Right click into the value area and Select New/DWORD-Value, name it NtfsMftZoneReservation
Once created, double click on the new value and enter “2”

Defragmentation

Defragmentation takes several forms depending on the condition of the boot system, and it needs to be noted the Microsoft method of severe MFT defrag repair is still the best : replace the boot drive with a new system or reformat the drive after making a full system backup to restore.

In order to defrag most effectively, the swap file should be removed from the running system. Set the swap file to NONE in Control panel =>System=>Advanced. Reboot the machine, then clear the freespace with the Systernals Sdelete.exe utility from Microsoft.

At the conclusion of clearing and zeroing the freespace on the disk, run a Defrag utility as noted above, or the system Defrag, then reboot, then replace the Swap file by setting it to the same minimum and maximum FIXED size of 8 gigs. If you have a second drive, take the same actions and store a second 8 gig FIXED swap file on the second drive as well. Just insure you have followed the same process of zeroing the drive or freespace with SDELETE and defragging it before installing the second Swap file.

  1. Defrag the disk using a slightly unusual method. First, delete the Swap file on the machine entirely. Reboot the machine and make sure it will in fact reboot with no swap file in place.
  2. If the machine reboots successfully go back to Control Panel System and make certain, that no swap file exists.
  3. Now run system defrag at a cmd prompt for the boot drive. When this has run, run Sdelete with a” /c” clear switch, to zero freespace on the drive. Optionally run Perfectdisk.exe
  4. ILookIX cannot run if the physical drive, including Sqlserver installation does NOT HAVE 25% of the physical drive volume in freespace. SqlServer itself will need to create and maintain temp files while running. Always make certain you never go below 25% freespace levels on the boot drive.

NTFS may in fact appear to have more than enough room in terms of freespace, but that presumes the file system itself is not overloaded and in a depleted state due to file fragmentation, index fragmenting or near out of space $ MFT entry room in the mftzone. When this occurs, the MFT will become so fragmented it can run out of space even where freespace exists and it will then have to expand outside of its own protection mechanism and borrow room from the filesystem itself. This will often occur in a forensics scenario where one would little expect it. Conditions that cause it are often difficult to assess but include, at one point in time, copying to the disk hundreds of thousands or millions of small mft resident files under 1000 byte. Large file fragment copies around the disk which leave multiple piece fragments in a non deleted state, or large numbers of file deletions even where recycle bin is cut on – which it should not be regardless.

If you do not have more than 25% freespace already on the boot drive, you may be in a predicament where you cannot defrag the MFT at all. You would have to increase the boot drive capacity and remove the fragment burden by setting up a NEW boot system.

The curative for this, is also part of the diagnosis. Generally with Vista as an OS or Xp either one, you can assess the file system with CHKDSK first. This should be run BEFORE a defrag, but also after a defrag by simply repeating the process two times.

Defrag->sdelete freespace->reboot->chkdsk and defrag again.

If the file system objects returned show more than 225,000 files on the boot system, you need to consider either using another drive with a new OS install or reclaiming the space on the disk by deleting all files and folders which are no longer needed. If you cannot otherwise determine the condition of the system you can look at the size of the $MFT itself and its own fragmentation to make a further determination of what action to take.

A rule : a fragmented MFT is NOT a good thing and it only will get worse.

You can determine the size and MFT fragmentation an easy way with the “-a” switch and the built in Defrag utility. At the end of the volume report, you will find the PERCENT MFT IN USE.

If this number is high, then the MFT space remaining before it disrupts the filesystem is less and that is a serious negative to using that drive for further processing. The “hole” space lost in having an MFT creep outside of its containment area in fragments is dramatically reduced access and deletion times of file. In general, a control point drive under ILookIX should be used only for a finite number of cases or millions of file records before it is copied off, reformatted and recopied or the data drive is replaced. 20 million may sound like a large number but it could easily occur in just one ILookIX case being processed to export the contained files.

Also you can use Disk Defragmenter (Perfectdisk or similar) just click the View Report button. The drive statistics will be displayed, including the current MFT size, and number of fragments, but it will not provide the % in use numbers of defrag.

The obvious question would be what is a “lot” of fragments. The answer is; lets use nominal values depending on a clean file system load analyzed in ILookIX. That exam usually reveals little if any fragments of the MFT in most systems analyzed. Generally, a system in nominal form will have an MFT with 0 or less than 5 fragments. Based on experience in ILook itself, a well tuned MFT would have less than 4 fragments or it would be in dire need of defragging itself.

The other end of that spectrum is that any system with over 10 simply needs replacement. In no circumstances should a drive with less than 20% freespace, including any recycle bin objects, be used for an install of anything Sqlserver or ILookIX related. So using that as a rule, if you have a report from Defrag or Systernals ntfsinfo.exe showing more than 4 fragments, you will not have an optimized forensics system in any form. The only totally reliable method to defrag an MFT is to put a new format on an NTFS drive, and restore a file system backup to that drive, which then defrags the MFT in the physical file system order itself. A commercial version of perfectdisk can accomplish a similar task.

Check The Memory

Assuming you have addressed all events of note in the system logs, then by using Vista Control Panel, check the memory of the machine itself, or use IXimager’s memtest or Memtest86 to validate that the RAM is not malfunctioning.

If you are using XP, you can use Memtest if you have no IX builds. Once you have IXimager 3, pressing F2 on boot will test your ram by using the boot memtest option.

The Windows Vista memory checker, http://oca.microsoft.com/en/windiag.asp while a first step memory test, is adjunctive to a current version of Memtest86. Both should be run overnight or over a weekend and routinely. RAM fails at the same statistical rate as harddrives. This process should be repeated no less than every 3 months, and preferably every month. In some cases it will indentify failed ram slots or other functional errors that require hardware repairs. RAM failures can become a source of unparalleled errors which have no reasonable explanation.

You should have 4 gigs of physical memory installed. If you run MSINFO at a cmd window and see less than 2 gigs of available memory, you need to consider the applications that you are already running and how they will impact the forensics performance of the workstation. By using Hijackthis from Trend Micro, as well as the cmd terminal MSC “Msconfig” , you should be able to isolate the services and startup applications that will impact performance. Running Autoruns from Microsoft is also a highly valuable aid in determining your base system demands on RAM and performance.

It is critical this check is done before Sqlserver is installed. Sqlserver 64 will scale into all physical memory space as needed on the system ,and in the process of doing that, it will translocate other process space into the SWAP file area. It can be throttled to only use certain ram levels, but usually this is not necessary. The interaction between Sqlserver and physical memory is aggressive and any RAM errors will cause insurmountable problems for ILookIX.

RAM must be perfectly functioning at all address locations when running SQL server.

back