Posted on

Digital Smoke: The Art of Incident Response

Incedent Response by Al Lewis

By Al Lewis
Director of Forensic Development & Services
MacForensicsLab Incorporated

Digital Smoke: The Art of Incident Response

Law enforcement officers seek to locate the proverbial smoking gun as a means to close each investigation. The smoking gun is the one item that proves, without a doubt, the party responsible for the crime. In the cyber world, the computer is analogous to the gun. Therefore forensic examiners have naturally focused their considerable skills on possessing the computer, rather than capturing the data. In doing so, these examiners taught the necessity of pulling the plug on the computer to minimize altering any potential evidence. Pulling the plug is no longer a sustainable preference. In fact, given the modern threat environment, pulling the plug on a running system that is not actively destroying data borders on malfeasance. The data that is lost when pulling the plug can be the difference between catching the criminal or having him walk free. The gun or computer in this case, may not contain any bullets once the power is off, so catching the smoke, (volatile data) may be the only way to identify exactly what was occurring during the crime. In todays investigations the smoke is often more important than the gun. This is the art of incident response and when done correctly, the smoke may end up blowing right back into the criminals face.

Digital Smoke

By understanding the threat environment, defining and identifying the characteristics of incident response, and discussing appropriate response strategies, this article will demonstrate that appropriate incident response is imperative to modern investigations. In essence, this article will discuss how to catch the smoke from a gun.

The Threat Environment
The combination of complex communication networks, anti-forensic tools, encryption and criminals willing to do anything to avoid capture defines the modern threat environment. Indeed the ability for these criminals to hide their nefarious acts has never been easier, making incident response more important than ever.

Definition of Incident Response
It is obvious, given the threat environment, that the accepted forensic process of pulling the plug has become increasingly damaging to the investigation. Therefore it is important to clearly define what constitutes incident response. For the purpose of this article, incident response is defined as those actions taken, on a running computer, by the investigator, focused on stopping destructive activity, obtaining volatile information, and preparing the machine for further forensic examination.

Characteristics of Incident Response
Incident Response is characterized by a dynamic environment that requires a higher level of skill to successfully negotiate, and given the ever diminishing nature of the data concerned, present the best chance of obtaining data critical to the investigation. Furthermore, the proliferation of computing technologies has made it impossible for only highly trained computer forensic examiners to respond to every digital crime scene, making the responder undertrained for the mission. The combination of environmental complexity and nontechnical responders is a recipe for disaster without the proper planning.

The Scene
Law enforcement officers will face one of the following scenes during his duties; the computer is running, computer is in a suspended state and computer is off. Furthermore there are categories defining the state of the running computer; computer is performing intentionally destructive activity, computer is performing unintentionally destructive activity, and computer is running normally. Furthermore, there are additional considerations for modern law enforcement officers. Encryption, remote shares, networked devices, wireless access points, alias commands, booby traps, and more. All theses considerations combine to make the scene a complex, uncertain environment for the responder.

Response Strategies
It is imperative that some form of incident response be performed on scene whenever there is a running computer. As such broad guidelines can be established. Assuming officer safety has been accounted for the on-scene assessment must be made to determine the requisite course of action. This is similar to emergency medical personnel arriving on-scene of an accident. The medical personnel use the ABC (airway, breathing and circulation) acronym to assess injuries and establish priorities of work. In the digital crime scene, the priority of work is centered on preserving potential evidence. By following the acronym STU responders of the digital crime scene now have an approach to effectively control the scene. STU stands for Stop destructive activity, Take volatile data and Unplug the system for removal to a lab for further analysis.

The actions the responder takes to stopping the destructive activity depend on the type of destructive activity. If the destruction is intentional, the only viable option may be to pull the plug on the system. If the destructive activity is unintentional it may be as simple as stopping a running process, removing a network cable or even removing liquid spilled on the computer. Once the destructive activity has been stopped, and if the computer is still running, the responder has a chance to capture the volatile data.

Capturing volatile data on a system can be accomplished manually or through automated tools. By comparison, manually capturing volatile data represents a much higher risk as it is prone to typing and user errors, has a greater affect on the digital crime scene and takes substantially longer to perform. Automated tools provide the best chance for successfully capturing volatile data in the digital crime scene. The best example of an automated incident response tool is MacLockPick. MacLockPick is the only cross platform tool designed with a plug-in architecture to allow for variations on the scene and the expanding needs of an organization. For additional details concerning MacLockPick visit (

It should be made clear that although the volatile data is extremely important, it may not represent a complete picture of the digital crime scene. As such, the computer must be unplugged and moved to a forensic laboratory for detailed analysis.

Responding to the Live Macintosh Computer

As previously mentioned there are commonalities regardless of operating system, when responding to running computers. However, the differences can be enough to stop the investigation dead in its tracks. There are several features to consider when approaching a Macintosh computer; the keychain, FileVault, the kernel and disk arbitration are some of the most important features unique to the Macintosh.

The Keychain
Macintosh computers take a centralized approach to password management. Passwords are managed through a keychain. A user can have an unlimited amount of keys. The keychain login is the default and as such opens upon user login. Furthermore, the keychain remains unlocked while logged in, granting access to all keys in the keychain. These default settings must be explicitly changed by the user. The ability to access the keychain and all the subsequent passwords is one of the primary goals of responders to a Macintosh system.

Macintosh computers running Mac OS X can turn on FileVault. FileVault is a program that encrypts a users home folder using 128-bit encryption. By default all data generated by a particular user is stored in their user folder. Once FileVault is enabled it requires a Master Password to be set for the user. The Master Password allows the user to unlock the FileVault container, which is seen only as a sparseimage. If the Macintosh is running FileVault and the responder pulls the power on the computer without knowing the password, the user folder will become completely inaccessible to the forensic examiner.

The Kernel
Mac OS X is a fully compliant UNIX operating system. As such, there are a myriad of processes, logs and scripts that are running at any given time. Furthermore, the responder has access to these directly through the built-in Terminal application. It is important to appreciate that UNIX systems have scheduled maintenance operations controlled by cron and that these operations can inadvertently destroy data that may be of consequence in the investigation. Therefore, timely response to the system is paramount. Additionally, Mac OS X has a wide variety of logs containing critical information pertaining to the system, networks, connections, and more. The default shell for Mac OS X (10.4 and higher) is bash. In previous versions of Mac OS X the default shell is tsch. The default shell is important to the responder that uses the Terminal application to gather critical data as each shell has its own set of commands and capabilities.

Disk Arbitration
The Disk Arbitration service is run by the Disk Arbitration Daemon. This daemon attempts to automatically mount any device attached to the computer. By default all devices mounted by the Disk Arbitration Daemon on mounted onto the Desktop. As a responder, it is vital to observe the Desktop for any devices mounted there. Equally important, any device the responder attempts to connect to the system will be mounted unless the Disk Arbitration Daemon issue is adequately addressed. The responder may choose ignore Disk Arbitration, allowing it to run as designed and opt to account for any devices mounted by the responder by means of investigative notes.

These Mac-specific features provide the responder powerful tools to perform a manual analysis and allow the automated tools such as MacLockPick to perform an in-depth data capture. Regardless of these unique features, the responder should still follow the STU process as it is operating system and environment neutral.


As the world of technology continues to alter society, the digital crime scene bends with it. The increasingly complex communications networks and remote storage have made locating and preserving data challenging. Specifically the type, location and state of data have made the art of Incident Response arguably more important than the follow-on forensic examination. As such, every organization should consider incident response as the first critical step in the forensic process, rather than a token procedure to that can be skipped based on the incorrect assumption that they can gain access to the data later. Organizations that embrace incident response, follow the STU process and seek to employ automated tools such as MacLockPick will have the best chance of catching the smoke from the gun and making major steps forward in combating cybercrime.

Al Lewis is the Director of Forensic Development & Services for MacForensicsLab Incorporated and a professor at Marymount University in Arlington, Virginia where he teaches Cybercrime and Digital Terrorism. Previously, Mr. Lewis was a Senior Special Agent for the US Treasury Department. Prior to that he served as an Electronic Crimes Special Agent Program (ECSAP) agent with the US Secret Service responsible for cyber-based investigations and computer forensics.