live data collection from windows system
Download
Skip this Video
Download Presentation
Live Data Collection from Windows System

Loading in 2 Seconds...

play fullscreen
1 / 34

jeiLiveDataCollectionfromWindowsSystem - PowerPoint PPT Presentation


  • 254 Views
  • Uploaded on

Live Data Collection from Windows System. Outline. Preface Creating a Response Toolkit Storing Information Obtained during the Initial Response Obtaining Volatile Data Performing an In-Depth Live Response. Outline. Preface Creating a Response Toolkit

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'jeiLiveDataCollectionfromWindowsSystem' - HarrisCezar


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
outline
Outline
  • Preface
  • Creating a Response Toolkit
  • Storing Information Obtained during the Initial Response
  • Obtaining Volatile Data
  • Performing an In-Depth Live Response
outline3
Outline
  • Preface
  • Creating a Response Toolkit
  • Storing Information Obtained during the Initial Response
  • Obtaining Volatile Data
  • Performing an In-Depth Live Response
preface
Preface
  • The goal of an initial response:
    • Confirm there is an incident
    • Retrieve the system’s volatile data
  • OS:
    • Windows NT/2000/XP
outline5
Outline
  • Preface
  • Creating a Response Toolkit
  • Storing Information Obtained during the Initial Response
  • Obtaining Volatile Data
  • Performing an In-Depth Live Response
what is important
What is important
  • Don’t affecting any potential evidence
    • Prepare a complete response toolkit
  • A live investigation is not the time to create or test your toolkit for the first time!!!
preparing the toolkit
Preparing the Toolkit
  • Label the response toolkit media
    • Case number
    • Time and date
    • Name of the investigator who created the response media
    • Name of the investigator using the response media
preparing the toolkit10
Preparing the toolkit
  • Check for dependencies with Filemon
    • Determine which DLLs and files your response tools depend on
  • Create a checksum for the response toolkit
    • md5sum
  • Write-protect any toolkit floppies
outline12
Outline
  • Preface
  • Creating a Response Toolkit
  • Storing Information Obtained during the Initial Response
  • Obtaining Volatile Data
  • Performing an In-Depth Live Response
prelim
Prelim
  • “live”: power on
  • Four options when retrieving information from a live system
    • The hard drive of the target system
    • In a notebook
    • Response floppy disk or other removable media
    • Remote forensic system using netcat or cryptcat
transferring data with netcat
Transferring Data with netcat
  • Two advantage
    • Get on and off the target system quickly
    • Perform an offline review
transferring data with netcat15
Transferring Data with netcat

2

3

1

Time

date

loggedon

fport

pslist

nbtstat -c

NT System

Forensic System

1: Run trusted commands on NT Server

2: Send output to forensics box via netcat

3: Perform off-line review md5sum output files

transferring data with netcat16
Transferring Data with netcat
  • Forensic workstation
  • Target system
encrypting data with cryptcat
Encrypting Data with cryptcat
  • Has the same syntax and functions as the netcat command
    • Sniffer cannot compromise the information you obtain
    • Eliminates the risk of contamination or injection of data
  • Two-man integrity rule
outline18
Outline
  • Preface
  • Creating a Response Toolkit
  • Storing Information Obtained during the Initial Response
  • Obtaining Volatile Data
  • Performing an In-Depth Live Response
collect the important information
Collect the important information
  • At minimum, volatile data prior to forensic duplication
    • System date and time
    • A list of the users who are currently logged on
    • Time/date stamps for the entire file system
    • A list of the currently running processes
    • A list of the currently open sockets
    • The applications listening on open sockets
    • A list of the systems that have current or had recent connections to the system
collecting volatile data
Collecting Volatile Data
  • Top-ten list of the steps to use for data collection
    • Execute a trusted cmd.exe
    • Record the system time and date
    • Determine who is logged in to the system (and remote-access users, if applicable)
      • PsLoggedOn
      • rasusers
    • Record modification, creation, and access times of all files
      • dir /?
collecting volatile data22
Collecting Volatile Data
  • Determine open ports
    • netstat
  • List applications associated with open ports
    • Fport
      • winpop.exeNetbus trojan
      • windll.exeGirlFriend trojan
  • List all running processes
    • Pslist
  • List current and recent connections
    • netstat
    • arp
    • nbtstat
collecting volatile data23
Collecting Volatile Data
    • Record the system time and date
      • Sandwich your data-retrieval commands between time and date commands
    • Document the commands used during initial response
      • doskey /history
  • Scripting your initial response
outline24
Outline
  • Preface
  • Creating a Response Toolkit
  • Storing Information Obtained during the Initial Response
  • Obtaining Volatile Data
  • Performing an In-Depth Live Response
don t affect your system
Don’t affect your system
  • Find evidence and properly remove rogue programs without disrupting any services
collecting live response data
Collecting Live Response Data
  • Two key sources of evidence on Windows NT/2000
    • The event logs
    • The Registry
  • Four approach to obtain quite a bit of information
    • Review the event logs
    • Review the Registry
    • Obtain system passwords
    • Dump system RAM
review the event logs
Review the event logs
  • auditpol
  • NTLast
  • dumpel
review the registry
Review the Registry
  • regdump
    • Create an enormous text file of the Registry
  • reg query
    • Extract just the Registry key values of interest
obtaining system passwords
Obtaining System Passwords
  • pwdump3e
    • Dump the passwords from the Security Accounts Manager (SAM) database
dumping system ram
Dumping System RAM
  • userdump.exe (MS OEM Support Tools)
  • Two types of memory
    • User mode (application) memory
    • Full-system memory
ad