Incident Response at MU: How to collect data from a compromised device
This guide outlines procedures for the effective collection of forensically relevant data from a compromised device in the context of security incident response. The guide applies exclusively to physical servers and workstations. It focuses on Windows and Unix-like operating systems. This is not a general methodological document – the guide is specifically tailored to the internal processes and technical requirements of CSIRT-MU.
When handling an incident involving a compromised device – such as malware deployment or direct attacker access – CSIRT-MU may request varying scopes of data, depending on the type and severity of the incident. The compromised device may serve the attacker as an entry point into the network, a source of data, or a platform for further propagation. The selection of forensic procedures reflects these potential attacker objectives.
a) Basic logs and artifacts
(e.g., running processes, open network connections at the time of data extraction) are sufficient in cases where the cause of the compromise is known or can be reasonably inferred.
b) Full disk image
is required for detailed forensic (in-depth) analysis when the infection vector is unclear, but the compromise of the device has been confirmed.
This guide follows the initial incident assessment performed by CSIRT-MU. The decision on which procedure to apply is made by CSIRT-MU. Administrators shall follow the instructions provided to preserve evidence integrity. After submitting the requested data, administrators must not perform any further actions (such as cleaning the system or reconnecting it to the network) until receiving explicit instructions from CSIRT-MU. The team may also request additional data at a later stage (e.g., a full disk image even after the initial logs have been submitted).
READ CAREFULLY: What to watch out for before and during data extraction!
Below is a summary of the essential rules that must be followed when collecting logs or creating a disk image. Warning: Data on the exposed device may already be compromised – an attacker may have had full access. Do not underestimate the importance of proper data collection and the transfer of outputs to CSIRT-MU. In the case of any uncertainties, please contact csirt@muni.cz.
General Guidelines
- Write Operation: Avoid unnecessary write operations on the compromised device (e.g., running programs, moving files). Such action may affect the integrity of the evidence, as malware often attempts to erase its traces.
- External Storage Devices (ESD): You will need an external medium (e.g., USB flash drive or external hard drive) to store both the forensic tools and the collected data.
-
For log collection: One ESD is sufficient – use it both to run forensic tools and to store the output.
-
For disk imaging: Plan for two ESDs – one smaller device (e.g., a USB drive for booting a Linux environment), and one larger device (an external drive for saving the disk image).
-
- Security of ESDs: If the procedures in this guide are followed, the risk of spreading the infection is minimal. However, it is strongly recommended not to use storage devices containing sensitive data or backups.
- Capacity of ESDs: The ESD used for storing the disk image must have a capacity at least equal to the amount of data on the disk (not necessarily the full disk size, but the occupied space). Even when compression is used, the resulting image is only slightly smaller. Beware of encrypted disks – for these, the ESD must be large enough to hold an image of the entire disk, because encryption typically includes the “empty“ space as part of the encrypted volume. In contrast, for unencrypted disks, only the actual data needs to be imaged. Log collection typically generates relatively small outputs – usually not exceeding 10GB, even on Windows systems.
Specific configurations and software: Inform CSIRT-MU if the compromised device contains specialized software or data that may be relevant to the incident investigation – such as sensitive or scientific data. Also, report whether the device or any of its services is publicly accessible from the internet, or whether it is reachable across the entire MU network (as opposed to being isolated in a restricted segment). The same applies if the device has customized, limited, or non-standard logging configurations.
Requirements for creating a disk image
- Encrypted Disks: If the disk is protected (e.g., with BitLocker), notify CSIRT-MU, prepare the necessary keys (secrets), and coordinate their secure transfer with the CSIRT-MU.
- Scope of Disks and Partitions: Ideally, a complete image of all disks and partitions is required. If this is not feasible (e.g., due to sensitive data or large data volumes), consult CSIRT-MU to determine what can be safely provided. This must be communicated in advance.
- Verifying Connected Disks and Partitions:
- On Windows, you can for example use:
- Press Win + R, enter diskmgmt.msc, and press Enter – this opens Disk Management.
- Open cmd.exe (as administrator) and run the following commands sequentially
-
diskpart
-
list disk
-
- Open This PC (Win + E). Under Devices and drives, you will see the assigned drive letters (C:, D:, etc.), though some hidden/non-system partitions will not be displayed.
- On Linux, you can verify connected disks using the following tools (see example screenshots provided below):
- lsblk
- df -h
- sudo fdisk -l
- On Windows, you can for example use:
a) Collecting logs and other artifacts
In this section, you will collect logs and other data from the compromised device using pre-prepared automated tools in the form of executable binaries. Recommendation: Download the binaries in advance, before performing the actual data extraction, using a clean workstation—ideally one running a different operating system than the compromised device.
⚠️ Warning: Do not install or copy anything onto the compromised device, and if you have not already done so, disconnect it from the internet.
-
Step 1: preparing the KAPE tool
To collect logs from a Windows device, use KAPE, a widely used and field-proven tool for digital forensic analysis. Download the KAPE binary on your workstation. Extract the downloaded KAPE archive to your external storage device, which you will later connect to the infected device.
-
Step 2: running the tool on the compromised device
Connect the ESD to the compromised device and run gkape.exe as an admin. Warning: Disable sleep mode. The device must remain powered on and active throughout the data collection process—do not shut it down or put it to sleep, as this may cause KAPE to freeze and result in a failed collection.
-
Step 3: selecting the source disk
In the Target source field, select the disk from which to collect data—this is typically the system disk C:. If the incident involves additional disks (e.g., those storing applications or data), repeat the process for those disks as instructed by CSIRT-MU.
-
Step 4: setting the target location
In the Target destination field, specify the location on the ESD where the collected data will be saved. You may use the root directory or, preferably, create a subfolder. Never save the output to the compromised disk, to avoid altering the system.
-
Step 5: selecting the data collection profile
In the Targets section of the KAPE user interface, select the SANS_Triage profile. This profile is pre-configured to collect forensically relevant system data and is suitable for incident investigation purposes.
-
Step 6: including shadow copies
Check the Process VSCs option to include Volume Shadow Copies, which may contain valuable historical information.
-
Step 7: configuring the output format
In the Container section, select Zip as the output format and specify a Base name for the resulting file.
-
Step 8: starting the data collection process
Click the Execute button to start data collection. Extraction may take several tens of minutes, depending on the volume of data. During this process, do not shut down or put the device to sleep, as doing so could interrupt the collection and compromise the results.
-
Step 9: sending the output file to CSIRT-MU
Send the KAPE output file (.zip) from your workstation to csirt@muni.cz via the encrypted CESNET FileSender service. Send the password for the archive separately via email.
-
Step 1: downloading the UAC tool
For collecting data from Unix-like systems (Linux, BSD, macOS), we use UAC – Unix-like Artifacts Collector, an open-source tool recommended by the SANS community for incident response and threat hunting. On your clean workstation, download the latest version of the UAC tool from the Releases section of its repository.
-
Step 2: preparing UAC on an external storage device
Extract the downloaded UAC archive to your ESD, which you will then connect to the compromised device.
-
Step 3: running UAC on the compromised device
In the directory containing the UAC executable binary, run the following command, replacing <DESTINATION_PATH> with the path to a directory on the ESD:
sudo ./uac -p ir_triage <DESTINATION_PATH>
Never save the output to the compromised disk—the goal is to avoid modifying the system.
-
Step 4: sending the output file to CSIRT-MU
Send the UAC output file (.zip) from your workstation to csirt@muni.cz via the encrypted CESNET FileSender service. Send the password for the archive separately via email.
b) Creating a disk image
In cases of more extensive incidents, where it is unclear how malware entered the system, collecting logs alone is not enough—it is necessary to acquire a complete disk image. This section describes how to use a bootable Linux ESD and the tools zstd/gzip to create a forensically sound disk image. To capture the image, you must first prepare a bootable medium that allows the device to run outside its regular operating system, providing a safe environment for data acquisition. You will need two ESDs, for example:
- A USB flash drive to create a bootable Linux environment (this guide uses Fedora KDE),
- An external drive with sufficient capacity to hold the entire contents of the target disk (see the section "ESD Size").
⚠️ Warning: Creating the bootable medium will erase and format the USB flash drive (or other ESD). Make sure it contains no important data. Recommendations:
- Prepare the bootable USB flash drive in advance on your workstation.
- Use clean and empty ESDs and securely wipe and format them after use.
- Never save the disk image on the compromised device. The goal is to avoid any write operations or interactions with the system.
- Disable sleep mode—disk imaging may take several hours and must not be interrupted.
Fedora OS recommended,
We recommend using Fedora OS to create the bootable USB. It is a stable and actively maintained Linux distribution with the Fedora Media Writer tool, which makes preparing the USB easy on all major operating systems (Windows, Linux, macOS). This guide is based on Fedora.
but if you don't prefer Fedora,
If you prefer another system, you can prepare a bootable USB using tools like Rufus, Windows: rufus.ie, Ventoy: ventoy.net, all systems: etcher.balena.io). Note that this guide does not cover these tools, as steps may vary.
or if you already have a bootable USB.
If you already have your own bootable USB prepared, you may use it directly. The instructions below explain the disk imaging process itself.
-
Step 1: download Fedora Media Writer
On your workstation, download the installer from the Fedora Project documentation - link here, section Installing and running Fedora Media Writer, and install it.
-
Step 2: start the installation wizard
The application will guide you through the process. On the first screen, select Download automatically.
-
Step 3: select Fedora edition
The main selection allows you to choose one of the default Fedora editions - Fedora Workstation or Server. Choose Fedora KDE Plasma Desktop, as the default GNOME for the previous options may be unintuitive.
-
Step 4: configure the distribution and target device
On the last screen, select the distribution version (e.g. Fedora 38, 39, etc.) and architecture (x86, ARM, etc.). At this stage, it is crucial to select the USB Drive from which to create the boot media. Leave the other settings as default and click on Download & Write.
-
Step 5: create the bootable USB
Once the download completes, the tool will write the bootable image. You may be prompted for your root or sudo password to authorize the process.
-
Step 6: finalize and connect to the compromised device
When the process finishes, click Finish, close Fedora Media Writer, eject the USB disk, and connect it to the compromised device.
-
Step 1: boot the device from the USB medium
Insert the bootable USB into the compromised device and enter the BIOS/UEFI using the appropriate key (typically F2, F12, or Del).
-
Step 2: select USB as boot device
From the boot menu, select the USB drive as the boot device and allow the system to start. If prompted to install an OS, close that window and proceed directly to the desktop environment. Do not install the operating system!
-
Step 3: identify the disks on the target device
If necessary, use the command line to view mounted disks and partitions with tools such as:
- lsblk
- df -h
- sudo fdisk -l
If using Fedora KDE, you may also utilize the graphical KDE Partition Manager.
-
Warning: Internet access and compression tool choice!
For disk imaging, we recommend using zstd, which is faster and more efficient than traditional gzip. Since zstd is not included by default in Fedora (as of this guide’s publication), you may need to install it manually.
- Option A – Device can be temporarily connected to the internet:
If possible, connect the device briefly and install zstd:
$ sudo dnf install zstd
This significantly speeds up imaging. If standard precautions are followed, temporary internet access poses minimal risk.
- Option B – Device cannot be connected to the internet:
If no internet connection is possible, use gzip, which is included by default.
Security Note: If your primary concern is the risk of compromise during internet access, we emphasize that when performed correctly and within a limited timeframe, the risk is minimal. Consider using zstd for better performance.
- Option A – Device can be temporarily connected to the internet:
-
Step 4: mount the external disk
If the external disk that will store the output disk image of the infected device is not automatically mounted, it must be manually mounted. On a Fedora system, you can do the following:
$ mkdir /mnt/ex_disk$ sudo mount -o rw /dev/sdX /mnt/ex_disk
Replace sdX with the correct disk identifier (e.g., sdc, sdd). This will mount the disk to /mnt/ex_disk with read-write access
-
Step 5: create a compressed disk image
Use zstd (or gzip) to copy the entire disk:
$ zstd –1v </PATH_ORIGIN_DISK >/PATH_PLACE_TO_WRITE/disk.zst
- –1v: minimal compression level (19 = slowest, 1 = fastest)
- –v: verbose mode
- </PATH_ORIGIN_DISK: the source disk from which the image is created (e.g. /dev/sda)
- >/PATH_PLACE_TO_WRITE/disk.zst: writes the compressed output to the disk.zst file in the specified location (PATH_PLACE_TO_WRITE), e.g. a folder with an external disk mount
For gzip, the command is:
$ gzip –n </PATH_ORIGIN_DISK >/PATH_PLACE_TO_WRITE/disk.gz
- –n: sets the compression level (1 = fastest, 9 = highest quality), for the purposes of this tutorial feel free to select -1
- PATH_ORIGIN_DISK a PATH_PLACE_TO_WRITE: same as for zstd, but for gzip the default format is .gz
So, for example, the command: $ zstd -1v </dev/sda >/mnt/ex_disk/test_disk.zst copies the /dev/sda disk to the attached external disk through the /mnt/ex_disk/ folder as a compressed ttest_disk.zst file The same thing you would do with gzip by using the command: $ gzip –1 </dev/sda >/mnt/ex_disk/test_disk.gz
The commands work the same for partitions, just replace /dev/sda with the partition name.
-
Step 6: safely unmount the exteranl disk
Once the image is created, safely unmount the external disk:
$ sudo unmount /mnt/ex_disk
Alternatively, use Safely Remove from the graphical interface. Removing the disk without unmounting may result in incomplete or corrupted images. -
Step 9: sending the output file to CSIRT-MU
Send the compressed disk image file (e.g., test_disk.zst or test_disk.gz) from your workstation to csirt@muni.cz via the encrypted CESNET FileSender service. Send the password for the archive separately via email.
-
Step 8: disable sleep mode
Since it can take hours to create a disk image for larger disks, you may find it useful to disable the sleep mode available directly in the panel when using our tutorial with Fedora KDE:
- On laptops: click the battery icon.
- On desktops: click the “⌃” icon for hidden icons and select Power Management.
Summary
Accurately and safely collecting data from a compromised device is critical for a successful forensic analysis and incident resolution. This guide outlines proven steps to acquire data without compromising evidence integrity, following CSIRT-MU procedures. Strict adherence to each step minimizes the risk of evidence contamination, data loss, or spreading malware to other systems. For any uncertainties, promptly contact the CSIRT-MU team for tailored guidance. This guide serves not only as technical support but also as a tool to uphold the integrity of forensic investigations within the university infrastructure.