html5-img
1 / 30

How'd They Find THAT? : Implementing the Microsoft Fundamental Computer Investigation Guide for Windows

How'd They Find THAT? : Implementing the Microsoft Fundamental Computer Investigation Guide for Windows . Kai Axford, CISSP, MCSE Sr. Security Strategist Microsoft Corporation http://blogs.technet.com/kaiaxford. Agenda.

aram
Download Presentation

How'd They Find THAT? : Implementing the Microsoft Fundamental Computer Investigation Guide for Windows

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How'd They Find THAT?: Implementing the Microsoft Fundamental Computer Investigation Guide for Windows Kai Axford, CISSP, MCSE Sr. Security Strategist Microsoft Corporation http://blogs.technet.com/kaiaxford

  2. Agenda The Problem: Investigating illegal / improper activity on your computers and networks The Guide: Four-step investigative process The Tools: Demos of Sysinternals, EnCase, and Forensic Toolkit The Other Tools: Anti-Forensics

  3. A Growing Problem • Internet connectivity and technological advances are now part of landscape • Your computing resources may be exposedto improper or even criminal activities • Need best practices and tools for investigating illegal activity • Want to avoid exposing the organization to legal and financial risks

  4. The Fundamental Computer Investigation Guide for Windows • Best practices and tools to conduct computer investigations of suspicious activity • Tested guidance about collecting, preserving, analyzing, and reporting on key data in investigation

  5. Types of Questionable/Illegal Activities

  6. Real-life Examples

  7. Example Case • Ray Chow, Enterprise Systems Administrator of Woodgrove National Bank (WNB) • Believes information illegally obtained from HR file server • Needs to use sound investigative methods • Will report findings to upper management

  8. The guide provides you with a 4-step Best Practices methodology for your investigation Assess the situation Acquire key data Analyze data Report results

  9. Decide whether or not to involve law enforcement Step 1: Assess the Situation Assess the situation Should law enforcement be involved? • End internal investigation • Contact law enforcement • agency (see appendix) • Provide assistance Yes No Continue internal investigation

  10. Step 1: Assess the Situation (cont’d.) Assess the situation • Meet with management and legal advisors • Collectively review policies and laws • Identify possible team members • Assess situation, business impact • Prepare to acquire evidence

  11. Step 2: Acquire Key Data Acquire key data • Build toolkit, including Sysinternals and Windows tools • Collect evidence of access to HR files at server • Collect volatile evidence at client • Collect evidence of access to HR files at client • Consider data storage protection and archival

  12. Step 3: Analyze Data • Analyze data obtained from server • Analyze data obtained from host Analyze data

  13. Step 4: Report Results • Gather all background, documentation, notes • Identify data relevant to investigation • Identify facts that support conclusion • List evidence to be submitted in report • List conclusions • Based on above, create report Report results

  14. Sysinternals and Other Tools for Your Investigation

  15. Event Log Acquire key data • Use to document unauthorized file and folder access

  16. AccessChk* Acquire key data • Shows what folder permissions a user has • Provides evidence that user has opportunity

  17. PsLoggedOn* Acquire key data • Shows if a user is logged onto a computing resource

  18. RootKit Revealer Acquire key data • Reveals rootkits, which take complete control of a computer and conceal their existence from standard diagnostic tools

  19. PsExec Acquire key data • Allows investigator to remotely obtain information about a user’s computer - without tipping them off or installing any applications on the user’s computer

  20. Sysinternals tool: DU* Acquire key data • Allows investigator to remotely examine the contents of user’s My Documents folder and any subfolders

  21. Digital Forensics • First and foremost:Kai is not a lawyer. Always consult your local law enforcement agency and legal department first! • Digital forensics is SERIOUS BUSINESS • You can easily shoot yourself in the foot by doing it incorrectly • Get some in-depth training • …this is not in-depth training!!! (Nor is it legal advice. Be smart. The job you save may be your own.) I just want to spend a few minutes showing you somecommon forensic tools and how they can help

  22. EnCase (Guidance Software, Inc.) • http://www.guidancesoftware.com • Very popular in private corporations • EnScript Macro Language allows for creation of powerful scripts and filters to automate tasks • Safely preview a disk before acquisition • Picture gallery shows thumbnails of all images • Virtually boot disk image using VMware to allow first-hand view of the system

  23. Forensic Tool Kit (AccessData Corp.) • http://www.accessdata.com/ • Full indexed searches in addition to Regex searches • Preprocess of all files, which makes for faster searching • Data is categorized by type (document, image, email, archive, etc.) for easy sorting • Ability to rule out “common files” using the Known File Filter plug-in • Detection of encrypted/compressed files

  24. Open Source Forensics Tools • The Sleuth Kit (TSK) and Autopsy • Written by Brian Carrier (www.sleuthkit.org) • TSK is command line; Autopsy provides GUI for TSK Runs on *nix platforms • Client server architecture allows multiple examiners to use one central server • Allows basic recovery of deleted data and searching • Lots of manual control to the investigator, but is light on the automation

  25. Open Source Forensics Tools (cont’d.) • Helix (e-fense) • Customized Knoppix disk that is forensically safe • Includes improved versions of ‘dd’ • Terminal windows log everything for good documentation • Includes Sleuthkit, Autopsy, chkrootkit, and others • Includes tools that can be used on a live Windows machine, including precompiled binaries and live acquisition tools

  26. demo The Tools

  27. Anti-Forensics • Be Aware of activity in the Anti-Forensics area!! There are active efforts to produce tools to thwart your forensic investigation. • Metasploit’s Anti-Forensic Toolkit*, Defiler’s Toolkit, etc. • Timestomp • Transmogrify • Slacker • SAM juicer *Courtesy of Vinnie Liu at Metasploit Project. Stay Alert! Stay Alive!

  28. Resources Security Minded – Kai’s Blog http://blogs.technet.com/kaiaxford Fundamental Computer Investigation Guide For Windows http://www.microsoft.com/technet/security/guidance/disasterrecovery/computer_investigation/default.mspx File System Forensic Analysis. Brian Carrier ISBN: 0-321-26817-2 Digital Evidence and Computer Crime. Eoghan Casey. ISBN: 012162885X Incident Response: Investigating Computer Crime. Kevin Mandia & Chris Prosise ISBN: 007222696X Hacking Exposed: Computer Forensics. Chris Davis, Aaron Phillip ISBN: 0072256753 “How Online Criminals Make Themselves Tough to Find, Near Impossible to Nab”. Berinato, Scott. May 2007. http://www.cio.com

  29. Q&A

More Related