10 apr 2007 tcss431 network security stephen rondeau institute of technology lab administrator
This presentation is the property of its rightful owner.
Sponsored Links
1 / 17

Windows Forensics PowerPoint PPT Presentation


  • 124 Views
  • Uploaded on
  • Presentation posted in: General

10 Apr 2007 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator. Windows Forensics. Agenda. Forensics Background Operating Systems Review Select Windows Features Vectors and Payloads Forensics Process Forensics Tools Demonstration. Forensics Background.

Download Presentation

Windows Forensics

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


10 apr 2007 tcss431 network security stephen rondeau institute of technology lab administrator

10 Apr 2007

TCSS431: Network Security

Stephen Rondeau

Institute of Technology

Lab Administrator

Windows Forensics


Agenda

Agenda

  • Forensics Background

  • Operating Systems Review

  • Select Windows Features

  • Vectors and Payloads

  • Forensics Process

  • Forensics Tools Demonstration


Forensics background

Forensics Background

  • Inspection of computer system for evidence of:

    • crime

    • unauthorized use

  • Evidence gathering/preservation techniques for admissibility in court of law

  • Consideration of suspect's level of expertise

  • Avoidance of data destruction or compromise


Operating system review

Operating System Review

  • What does an OS do?


Operating system review1

Operating System Review

  • What does an OS do?

    • starts itself

    • low-level management of:

      • interrupts, time, memory, processes, devices (storage, communication, keyboard, display, etc.)

    • higher-level management of:

      • file system, users, user interface, apps

    • addresses issues of fairness, efficiency, data protection/access, workload balancing


Select windows features

Select Windows Features

  • Kernel vs. User Mode

  • Kernel features (architecture)

    • device drivers

    • installable file system

    • object security

  • Services


Windows forensics

Computing

Device

input

output

Hub

Computing Devices: Simplistic

  • Computing Device

    • takes some input

    • processes it

      • OS, services, applications

    • provides some output

  • Network

    • connects device

  • Data

  • ?


Windows forensics

Computing Devices: Reality

In

Human

K/M/touch,etc.

Out

Human

A/V

Data

Scanner/GPS

In/Out

Data

Storage Device, PC Card,

Network, Printer, Etc.


Windows forensics

Computing Devices: Connections

  • removable media

    • floppy,CD/DVD,flash,microdrive

  • PC Card

  • wired

    • serial/parallel,USB,Firewire,IDE,SCSI,twisted pair

  • wireless

    • radio (802.11, cellular, Bluetooth)

    • Infrared (IR)

    • Ultrasound


Vectors and payloads

Vectors and Payloads

  • Vector: route used to gain entry to computer

    • via a device without human intervention

    • via an unsuspecting or willing person's actions

  • Payload: what is delivered via the vector

    • malicious code

    • may be multiple payloads

    • spyware, rootkits, keystroke loggers, bots, illegals software, spamming, etc.


Forensics process

Forensics Process

  • Assess

    • after permission is granted

    • determine how to approach affected system(s)

    • watch out for anti-forensics

    • how to stop computer processing?

  • Acquire

    • capture volatile data

    • copy hard drive

  • Analyze


Volatile data

Volatile Data

  • All of RAM, plus paging area

  • Logged on users

  • Processes (regular and services)

  • Process memory

  • Buffers

  • Clipboard

  • Network Information

  • Command history


Nonvolatile data

Nonvolatile Data

  • Partitions

  • Files

    • hidden, streams

  • Registry Keys

  • Recycle Bin

  • Scheduled Tasks

  • User information

  • Logs


What to look for

What to Look For

  • Know baseline system: what to expect of good system

  • Malware Footprint

    • in logs

    • on file system (changed dates/sizes)

    • in registry

    • in startup areas

    • in service list

    • in network connections

  • Abnormalcy – functionality, performance, traffic patterns

  • Cross-check with multiple tools


Windows forensics

Microsoft Tools

  • Basic

    • Windows Update, Malicious Software Removal, Baseline Security Analyzer, Time Service, Routing and Remote Access, Event Viewer, EventCombMT, LocalService, NetworkService, Runas, systeminfo, auditpol

  • Network tools

    • netstat -anob, nbtstat, ping, tracert, arp, netsh, ipconfig

  • File

    • dir /ah, dir /od, dir /tc, findstr, cacls

  • Services

    • net start/stop, sc

  • Process:

    • tasklist, taskkill, schtasks


  • Windows forensics

    External Tools

    • antivirus

    • backup

    • www.sysinternals.com

      • RootKitRevealer, ProcessExplorer, WinObj, Autoruns

      • PSTools: pslist, psexec, psservice, psgetsid, etc.

  • www.e-fense.com: Helix

    • statically-linked tools, variety of other tools

  • Bart’s PE


  • Windows forensics

    References

    • Windows Forensics and Incident Recovery, Harlan Carvey, Addison-Wesley 2005

    • Windows Forensic Analysis DVD Toolkit , Harlan Carvey, Syngress 2007

    • File System Forensic Analysis,Brian Carrier, Addison-Wesley 2005

    • Rootkits, Greg Hoglund and James Butler, Addison-Wesley 2006


  • Login