Responder in Windows 'Safe Mode'
XDR Forensics Responder is now capable of functioning in Safe Mode, allowing forensic acquisition and remote tasking on machines operating in a restricted state. However, to maintain full functionality and allow task execution via the XDR Forensics Console, specific registry modifications must be applied before entering Safe Mode.
Enabling XDR Forensics Responder in Safe Mode
Section titled “Enabling XDR Forensics Responder in Safe Mode”Before booting into Safe Mode, execute the following Registry modifications to register the XDR Forensics Responder Service:
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Cisco.Forensics.Responder.Service" /VE /T REG_SZ /D "Service" /F
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Cisco.Forensics.Responder.Service" /VE /T REG_SZ /D "Service" /F
These registry changes can also be enforced via the Windows UI by running msconfig to get to the System Configuration window where in the Boot tab, the user can select Safe Boot with the Network button active:
Responder in Windows 'Safe Mode': Boot Options
These registry entries ensure the XDR Forensics Responder Service is recognized and loaded in Safe Mode.
Behavioral Scenarios
Section titled “Behavioral Scenarios”Safe Mode with Networking
- If a machine enters Safe Mode with Networking, the XDR Forensics Responder will continue operating as expected, maintaining communication with the XDR Forensics Console.
Safe Mode (Without Networking)
- The XDR Forensics Responder cannot communicate with the console if networking is unavailable unless an off-network package is used for forensic acquisitions.
Remote Task Execution
- Without the registry modifications, the XDR Forensics Console cannot issue remote tasks to the assets in Safe Mode.
- Adding the registry keys before booting into Safe Mode ensures that Responder and interACT remain functional.
Manual Execution in Safe Mode (Not Recommended)
Section titled “Manual Execution in Safe Mode (Not Recommended)”- If the registry modifications are not applied and the XDR Forensics Responder does not load, users can manually execute AIR.exe after entering Safe Mode to establish a temporary connection.
- However, this approach is not recommended due to potential inconsistencies and administrative overhead.
By proactively applying the recommended registry changes, organizations can ensure seamless forensic investigations even when assets are booted in Safe Mode.
Related: Windows Recovery Environment (WinRE)
Section titled “Related: Windows Recovery Environment (WinRE)”For systems that cannot boot normally, off-network Responders can also operate in offline mode within Windows Recovery Environment (WinRE) to collect evidence such as registry hives, event logs, and file artifacts. For more details, see Evidence Collection in Windows Recovery Environment.