Live data collection from windows system
Download
1 / 34

jeiLiveDataCollectionfromWindowsSystem - PowerPoint PPT Presentation


  • 251 Views
  • Uploaded on

Live Data Collection from Windows System. Outline. Preface Creating a Response Toolkit Storing Information Obtained during the Initial Response Obtaining Volatile Data Performing an In-Depth Live Response. Outline. Preface Creating a Response Toolkit

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'jeiLiveDataCollectionfromWindowsSystem' - HarrisCezar


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Outline l.jpg
Outline

  • Preface

  • Creating a Response Toolkit

  • Storing Information Obtained during the Initial Response

  • Obtaining Volatile Data

  • Performing an In-Depth Live Response


Outline3 l.jpg
Outline

  • Preface

  • Creating a Response Toolkit

  • Storing Information Obtained during the Initial Response

  • Obtaining Volatile Data

  • Performing an In-Depth Live Response


Preface l.jpg
Preface

  • The goal of an initial response:

    • Confirm there is an incident

    • Retrieve the system’s volatile data

  • OS:

    • Windows NT/2000/XP


Outline5 l.jpg
Outline

  • Preface

  • Creating a Response Toolkit

  • Storing Information Obtained during the Initial Response

  • Obtaining Volatile Data

  • Performing an In-Depth Live Response


What is important l.jpg
What is important

  • Don’t affecting any potential evidence

    • Prepare a complete response toolkit

  • A live investigation is not the time to create or test your toolkit for the first time!!!




Preparing the toolkit l.jpg
Preparing the Toolkit

  • Label the response toolkit media

    • Case number

    • Time and date

    • Name of the investigator who created the response media

    • Name of the investigator using the response media


Preparing the toolkit10 l.jpg
Preparing the toolkit

  • Check for dependencies with Filemon

    • Determine which DLLs and files your response tools depend on

  • Create a checksum for the response toolkit

    • md5sum

  • Write-protect any toolkit floppies


Outline12 l.jpg
Outline

  • Preface

  • Creating a Response Toolkit

  • Storing Information Obtained during the Initial Response

  • Obtaining Volatile Data

  • Performing an In-Depth Live Response


Prelim l.jpg
Prelim

  • “live”: power on

  • Four options when retrieving information from a live system

    • The hard drive of the target system

    • In a notebook

    • Response floppy disk or other removable media

    • Remote forensic system using netcat or cryptcat


Transferring data with netcat l.jpg
Transferring Data with netcat

  • Two advantage

    • Get on and off the target system quickly

    • Perform an offline review


Transferring data with netcat15 l.jpg
Transferring Data with netcat

2

3

1

Time

date

loggedon

fport

pslist

nbtstat -c

NT System

Forensic System

1: Run trusted commands on NT Server

2: Send output to forensics box via netcat

3: Perform off-line review md5sum output files


Transferring data with netcat16 l.jpg
Transferring Data with netcat

  • Forensic workstation

  • Target system


Encrypting data with cryptcat l.jpg
Encrypting Data with cryptcat

  • Has the same syntax and functions as the netcat command

    • Sniffer cannot compromise the information you obtain

    • Eliminates the risk of contamination or injection of data

  • Two-man integrity rule


Outline18 l.jpg
Outline

  • Preface

  • Creating a Response Toolkit

  • Storing Information Obtained during the Initial Response

  • Obtaining Volatile Data

  • Performing an In-Depth Live Response


Collect the important information l.jpg
Collect the important information

  • At minimum, volatile data prior to forensic duplication

    • System date and time

    • A list of the users who are currently logged on

    • Time/date stamps for the entire file system

    • A list of the currently running processes

    • A list of the currently open sockets

    • The applications listening on open sockets

    • A list of the systems that have current or had recent connections to the system



Collecting volatile data l.jpg
Collecting Volatile Data

  • Top-ten list of the steps to use for data collection

    • Execute a trusted cmd.exe

    • Record the system time and date

    • Determine who is logged in to the system (and remote-access users, if applicable)

      • PsLoggedOn

      • rasusers

    • Record modification, creation, and access times of all files

      • dir /?


Collecting volatile data22 l.jpg
Collecting Volatile Data

  • Determine open ports

    • netstat

  • List applications associated with open ports

    • Fport

      • winpop.exeNetbus trojan

      • windll.exeGirlFriend trojan

  • List all running processes

    • Pslist

  • List current and recent connections

    • netstat

    • arp

    • nbtstat


Collecting volatile data23 l.jpg
Collecting Volatile Data

  • Record the system time and date

    • Sandwich your data-retrieval commands between time and date commands

  • Document the commands used during initial response

    • doskey /history

  • Scripting your initial response


  • Outline24 l.jpg
    Outline

    • Preface

    • Creating a Response Toolkit

    • Storing Information Obtained during the Initial Response

    • Obtaining Volatile Data

    • Performing an In-Depth Live Response


    Don t affect your system l.jpg
    Don’t affect your system

    • Find evidence and properly remove rogue programs without disrupting any services



    Collecting live response data l.jpg
    Collecting Live Response Data

    • Two key sources of evidence on Windows NT/2000

      • The event logs

      • The Registry

    • Four approach to obtain quite a bit of information

      • Review the event logs

      • Review the Registry

      • Obtain system passwords

      • Dump system RAM


    Review the event logs l.jpg
    Review the event logs

    • auditpol

    • NTLast

    • dumpel





    Review the registry l.jpg
    Review the Registry

    • regdump

      • Create an enormous text file of the Registry

    • reg query

      • Extract just the Registry key values of interest


    Obtaining system passwords l.jpg
    Obtaining System Passwords

    • pwdump3e

      • Dump the passwords from the Security Accounts Manager (SAM) database


    Dumping system ram l.jpg
    Dumping System RAM

    • userdump.exe (MS OEM Support Tools)

    • Two types of memory

      • User mode (application) memory

      • Full-system memory


    ad