Forensics of a windows system
Download
1 / 43

Forensics of a Windows system : - PowerPoint PPT Presentation


  • 402 Views
  • Updated On :

Forensics of a Windows system Alfredo Reino, CISSP, MCSE, CCNA Systems Engineer Pharma Global Informatics F. Hoffmann-La Roche F. Hoffmann – La Roche A Global Healthcare Leader One of the leading research-intensive healthcare groups Core businesses are pharmaceuticals and diagnostics

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Forensics of a Windows system :' - ostinmannual


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Forensics of a windows system l.jpg

Forensics of a Windows system

Alfredo Reino, CISSP, MCSE, CCNA

Systems Engineer

Pharma Global Informatics

F. Hoffmann-La Roche


F hoffmann la roche a global healthcare leader l.jpg
F. Hoffmann – La RocheA Global Healthcare Leader

  • One of the leading research-intensive healthcare groups

  • Core businesses are pharmaceuticals and diagnostics

  • A world leader in Diagnostics

  • The leading supplier of medicines for cancer and transplantation and a market leader in virology

  • Employs roughly 65,000 people in 150 countries

  • Has R&D agreements and strategic alliances with numerous partners, including majority ownership interests in Genentech and Chugai


Agenda l.jpg
Agenda

  • Introduction

  • Incident handling and scope

  • Gathering volatile data

  • Network information

  • Filesystem acquisition

  • Memory acquisition

  • Timeline analysis

  • Evidence integrity & Chain of Custody

  • Organizations


What is forensics l.jpg
What is forensics?

Computer forensics is the process of investigating data storage devices and/or data processing equipment typically a home computer, laptop, server, office workstation, or removeable media such as compact discs, to determine if the equipment has been used for illegal, unauthorized, or unusual activities. It can also include monitoring a network for the same purpose. They must do so in a fashion that adheres to the standards of evidence that is admissible in a court of law.

http://en.wikipedia.org/wiki/computer_forensics


What is forensics5 l.jpg
What is forensics?

  • Computer forensics includes the following aspects:

    • identify evidence

    • preserve evidence

    • analyze evidence

    • present results

  • This has to be done following appropiate standards, especially if results need to be admitted by court of law


Incident handling l.jpg
Incident handling

  • General areas of incident handling

    • planning and preparation

    • incident detection

    • containment / response

    • recovery

    • analysis


Forensics scope and environment l.jpg

applications

os

server

computerized systems

infrastructure systems

lan / dmz

external environment

Forensics scope and environment

do you have all the relevant information?


Gathering data l.jpg
Gathering data

more volatile

  • Volatile data

    • registers, cache contents

    • memory contents

    • network connections

    • running processes

  • Non-volatile data

    • content of filesystems and drives

    • content of removable media

less volatile


Volatile data preparation l.jpg
Volatile data - preparation

  • Create CD-ROM with trusted toolset

    • at least include a trusted version of CMD.EXE from the same operating system

    • netcat or cryptcat

    • system tools (ipconfig, netstat, date, time, net, arp ...) for different Windows versions and service pack levels

    • pstools, listdlls, filemon, regmon, autoruns...

    • hfind, fport, ntlast, ...

    • windows resource kit tools

    • a good sniffer (ethereal, windump, ...)

    • md5sum / md5deep


Volatile data the set up l.jpg
Volatile data - the set up

  • Connect forensics workstation to same lan as suspect server

  • Configure netcat or cryptcat in forensics workstation to listen on a port and save received data to evidence file

  • Mount trusted toolset cd-rom in suspect server

  • Open trusted console (cmd.exe)


Volatile data what to get l.jpg
Volatile data - what to get

  • System date and time

  • Running processes

  • Network connections

  • Open ports

  • Applications listening on open sockets

  • Logged on users

  • Stored information in memory


Volatile data tools l.jpg
Volatile data - tools

  • date /t & time /t

    • get system date and time

  • ipconfig /all

    • get tcp/ip configuration

  • netstat -aon

    • get network connections and listening ports (with associated process pid)

  • psinfo -shd

    • get computer information (hardware, software, hotfixes, versions, etc.)

  • pslist -t

    • get running processes

  • at

    • get list of scheduled tasks (also check %windir%\tasks\ folder)


Volatile data tools13 l.jpg
Volatile data - tools

  • psloggedon

    • show logged on users and log on times

  • psloglist

    • dump event logs

  • psservice

    • dump system service information

  • net use, net accounts, net session, net share, net user

    • list netbios/smb connections

  • listdlls

    • list all dlls loaded in system

  • sigcheck -u -e c:\windows

    • enumerate all unsigned files (.exe, .dll)


Volatile data tools14 l.jpg
Volatile data - tools

  • streams -s c:\

    • list files with alternate data streams (ads)

  • logonsessions -p

    • lists logged on sessions and processes running on each session

  • arp -a

    • displays arp cache table

  • ntlast

    • record succesful and failed logins in system (including null sessions and remote logins)

  • route print

    • displays ip routing table


Volatile data tools15 l.jpg
Volatile data - tools

  • autorunsc

    • show all kinds of autorun items

  • hfind c:

    • finds hidden files

  • promiscdetect

    • detects network adapters in 'promisc' mode


Volatile data tools16 l.jpg
Volatile data - tools

  • volume_dump

    • dumps information about volumes, mount points, filesystem, etc.

  • pwdump2

    • dumps nthash/lmhash of local accounts (for later offline cracking)

  • lsadump2

    • dumps contents of LSA secrets (need SeDebugPrivilege)

  • strings

    • searches for ascii/unicode strings in suspicious files (you decide which are suspicious or not!)


Volatile data gui tools l.jpg
Volatile data - GUI tools

  • rootkit revealer

    • detects usermode or kernelmode rootkits

  • process explorer

    • useful information about running processes, loaded libraries, used resources, etc.

  • tcpview

    • displays network connections and associated applications


Network information l.jpg
Network information

  • Useful static data to get

    • IDS/IPS logs

    • firewall logs

    • radius/VPN logs

    • DHCP logs and leased ip information

    • application logs from other servers in same network if they are suspected of being entry point (ftp, www, database, ...)


Network information19 l.jpg
Network information

  • Traffic to/from live system

    • use of sniffer recommended

    • can use ethernet probe (read-only cat5 if possible!)

    • if server connected to hub, then plug probe into hub

    • if connected to switch, use a mirror port (in expensive switches) or use arp-spoofing to redirect traffic to sniffer

    • best sniffer: ethereal


Shutdown vs pull the plug l.jpg
Shutdown vs. Pull the plug

  • Clean shutdown

    • Advantages:

      • Maintains file system integrity

    • Disadvantages:

      • Changes state of system

      • Changes to filesystem

      • Malware can erase evidence on shutdown detection

  • Pull the plug

    • Advantages:

      • Maintains state as when it was running (except memory)

    • Disadvantages:

      • File system corruption


A note on win32 device names l.jpg
A note on Win32 device names

  • \\. Local machine

  • \\.\C: C: volume

  • \\.\D: D: volume

  • \\.\PhysicalDrive0 First physical disk

  • \\.\PhysicalDrive1 Second physical disk

  • \\.\CdRom0 First CD-Rom

  • \\.\Floppy0 First floppy disk

  • \\.\PhysicalMemory Physical memory

  • Using 'volume_dump' we can get the internal volume names

    • \\?\Volume{cb920b00-26be-11da-a568-806d6172696f}


File system acquisition duplication l.jpg
File system acquisition / duplication

  • Disk duplicates are admissible as evidence in court

  • Types of duplicates

    • Forensic duplicates ('dd')

      • Contains "raw" image

      • Every bit copied

      • No extra data added

    • Qualified duplicates ('EnCase')

      • Metadata added (hashes, timestamps, etc.)

      • Compression of empty blocks


Filesystem acquisition l.jpg
Filesystem acquisition

  • Physical acquisition

    • turn off machine (plug power cable)

    • remove harddisk

    • if harddisk has a read-only jumper, set it

      • or use hardware IDE/SCSI write blocker

    • connect to forensics workstation

      • better if its Linux (mount images manually and read-only)

        mount -o ro,loop,nodev,noexec victim.hda8.dd /t

    • perform bitwise copy ('dd') to a big enough storage media

      • portable firewire/USB drives are useful


Filesystem acquisition24 l.jpg
Filesystem acquisition

  • Network acquisition - non-live system

    • configure forensics workstation

      • lots of free disk space

      • netcat listener (nc -l -p 9000 > disk1.dd)

      • after acquiring compute hash (md5sum disk1.dd > disk.md5)

    • configure suspect system

      • boot suspect system (losing volatile info!) into linux livecd distro (gentoo, helix, knoppix, ...)

      • run dd to image disk over network with netcat

        dd if=/dev/sda | nc 10.0.0.1 9000


Filesystem acquisition25 l.jpg
Filesystem acquisition

  • Network acquisition - live system

    • not recommended (last resort)

      • untrusted operating system and filesystem in inconsistent state

    • configure forensics workstation

      • netcat listener (nc -l -p 9000 > disk1.dd)

      • after acquiring compute hash (md5sum disk1.dd > disk.md5)

    • acquire live filesystem

      • run 'dd for windows' from trusted cd-rom toolset

        dd if=\\.\PhysicalDrive0 bs=2k | nc -w 3 10.0.0.1 9000

        • where 10.0.0.1 is the ip address of forensics workstation


Memory acquisition l.jpg
Memory acquisition

  • Types of information located in memory

    • Cached passwords

    • Memory resident malware (Slammer)

    • Fragments of open files and processes

    • Unencrypted data

  • If this information is tought to be useful in investigation...

    pull the plug!


Memory acquisition27 l.jpg
Memory acquisition

  • Image whole memory (from a live system)

    dd if=\\.\PhysicalMemory | nc -w 3 10.0.0.1 9000

    • User-mode access to PhysicalMemory device object is not allowed for Windows Server 2003 SP1 (only kernel-mode drivers can do this)

  • Get process memory (from a live system)

    • Use 'pmdump' to dump the memory space of a process to a file

  • Get paging file (offline)

    • Cannot get the 'pagefile.sys' from a live system

    • If you shutdown the system, it changes the paging file

    • Maybe the "Clean pagefile on shutdown" is enabled!

    • So... pull the plug and image the disk



Analysis of evidence l.jpg
Analysis of evidence

  • Need to find "footprints", to establish

    • what

    • when (timeline of events)

    • how (point of entry, vulnerabilities exploited, ...)

    • who (?)

    • why (??)

  • Initial analysis

    • check for hidden or unusual files

    • check for unusual processes and open sockets

    • check for unusual application requests

    • check for suspicious accounts

    • determine patch level of system


Analysis of evidence30 l.jpg
Analysis of evidence

  • Based on findings, we should develop a strategy for further investigation

    • full filesystem / memory analysis

    • timeline analysis

    • event correlation

    • recovery of deleted files

    • password cracking (lophtcrack, lepton crack, ...)

    • malware executable analysis

      • static analysis

      • behavioural analysis


Filesystem analysis l.jpg
Filesystem analysis

  • Many tools for this

    • EnCase (commercial)

    • The Sleuth Kit + forensics browser

    • ftimes

  • Basic analysis tool functionality

    • file topography

    • compute hashes for files

    • create timeline analysis (mac data)

    • identify and recover deleted files

    • search functions

    • case management


Filesystem analysis32 l.jpg
Filesystem analysis

  • The Sleuth Kit + forensics browser



Timeline analysis log files l.jpg
Timeline analysis - Log files

  • Event logs (Application, System, Security, DNS)

    • very useful, many tools to extract

  • IIS/webserver/FTP logs/URLScan

    • useful to detect webapp exploiting (maybe as point of entry), for example unicode attacks, sql injection, ...

  • Windows Firewall log (%windir%\pfirewall.log)

  • Dr. Watson logs

    • contain information about processes running when an application crashed

  • setupapi.log

    • information about installation of applications and devices

  • schedlgu.txt

    • information about scheduled tasks

  • Antivirus / IDS / IAS / ISA Server / ... logs


Timeline analysis prefetch folder l.jpg
Timeline analysis - Prefetch folder

  • The prefetch folder is used by Windows to store information about how to effectively launch executables to improve performance

    • XP prefetches at boot time and application launch, 2003 prefetches only at boot time (default)

    • .pf files in %systemroot%/prefetch folder, contain information about file paths

    • the MAC info of the .pf file gives us information about when an application has been launched

    • use 'pref' or 'pref_ver' to parse this info, or use 'strings'


Timeline analysis other sources l.jpg
Timeline analysis - Other sources

  • LastWrite information in registry keys

    • use 'lsreg.pl' to parse registry and extract information including lastwrite data

      Key -> CurrentControlSet\Control\Windows\ShutdownTime

      LastWrite : Tue Aug 2 12:06:56 2005

      Value : ShutdownTime;REG_BINARY;c4 96 a0 ad 5a 97 c5 01

  • INFO2 files

    • contains information about deleted files by each user (only if it goes to recycle bin)

    • use 'rifiuti' to extract information

    • file normally at C:\Recycler\%USERSID%\INFO2


Timeline analysis other sources37 l.jpg
Timeline analysis - Other sources

  • Recently opened documents

    - check this registry key (for each user!)

    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

  • Temp folders

    • examine contents for suspicious files

  • Web browser cache

    • 'pasco' tool for internet explorer forensic analysis

    • cache and cookies folders

    • browser history


Evidence integrity l.jpg
Evidence integrity

  • Compute MD5 and SHA1 hashes of everything as soon as possible (tool output, drive/memory images, ...)

  • Write down all hardware information

    • manufacturer, model, serial number, inventory numbers, jumper settings

  • Get a lawyer or notary to attest and certify the whole process


Chain of custody l.jpg
Chain of Custody

  • Jurisprudence concept regarding the handling of evidence and its integrity

  • Documentation (paper trail) of seizure, custody, control, transfer, analysis and disposition of evidence

  • Handle evidence scrupulously to avoid allegations of misconduct or evidence tampering

  • Document the evidence lifecycle process (methods, times, dates, identity of people involved, etc.)

  • Must document where evidence was (and who had access to it) from initial gathering until it reaches court


Need help l.jpg
Need help?

  • Spain

    • Brigada de Investigación Tecnológica (Policía Nacional)

      • http://www.mir.es/policia/bit/

    • Grupo de Delitos Telemáticos (Guardia Civil)

      • http://www.guardiacivil.org/telematicos/

  • USA

    • DoD CyberCrime Center

      • http://www.dcfl.gov/dc3/

  • UK

    • National Hi-Tech Crime Unit

      • http://www.nhtcu.org/


Tools l.jpg
Tools

  • These are the mentioned tools in this presentation

  • Feel free to add more to your toolkit

  • Script (vbscript, perl) your toolset!!




ad