1 / 18

Windows Forensics

24 Jan 2008 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator. Windows Forensics. Agenda. Forensics Background Operating Systems Review Select Windows Features Vectors and Payloads Forensics Process Forensics Tools Demonstration. Forensics Background.

briar
Download Presentation

Windows Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 24 Jan 2008 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator Windows Forensics

  2. Agenda • Forensics Background • Operating Systems Review • Select Windows Features • Vectors and Payloads • Forensics Process • Forensics Tools Demonstration

  3. Forensics Background • Inspection of computer system for evidence of: • crime • unauthorized use • Evidence gathering/preservation techniques for admissibility in court of law • Consideration of suspect's level of expertise • Avoidance of data destruction or compromise

  4. Operating System Review • What does an OS do?

  5. Operating System Review • What does an OS do? • starts itself • low-level management of: • interrupts, time, memory, processes, devices (storage, communication, keyboard, display, etc.)‏ • higher-level management of: • file system, users, user interface, apps • addresses issues of fairness, efficiency, data protection/access, workload balancing

  6. Select Windows Features • Kernel vs. User Mode • Kernel features (architecture)‏ • device drivers • installable file system • object security • Services • User accounts, passwords and privileged groups • Security policies

  7. Computing Device input output Hub Computing Devices: Simplistic • Computing Device • takes some input • processes it • OS, services, applications • provides some output • Network • connects device • Data

  8. Computing Devices: Reality In Human K/M/touch,etc. Out Human A/V Data Scanner/GPS In/Out Data Storage Device, PC/Express Card, Network, Printer, Etc.

  9. Computing Devices: Connections • removable media • floppy,CD/DVD,flash,microdrive • PC/Express Card • wired • serial/parallel,USB,Firewire,IDE/SATA,SCSI/SAS • twisted pair • wireless • radio (802.11, cellular, Bluetooth)‏ • Infrared (IR)‏ • Ultrasound

  10. Vectors and Payloads • Vector: route used to gain entry to computer • via a device without human intervention • via an unsuspecting or willing person's actions • Payload: what is delivered via the vector • malicious code • may be multiple payloads • spyware, rootkits, keystroke loggers, bots, illegal software, spamming, etc.

  11. Forensics Process • Assess (after permission is granted)‏ • determine how to approach affected system(s)‏ • inspect physical environment • watch out for anti-forensics, booby-traps • consider how to stop computer processing • Acquire • capture volatile data • copy hard drive • Analyze

  12. Volatile Data • All of RAM, plus paging area • Logged on users • Processes (regular and services)‏ • Process memory • Buffers • Clipboard • Network Information (incoming and outgoing)‏ • Command history

  13. Nonvolatile Data • Partitions • Files • hidden, streams • Registry Keys • Recycle Bin • Scheduled Tasks • User Account and Group Information • Logs

  14. What to Look For • Know baseline system: what to expect of good system • Malware Footprint • in logs • on file system (changed dates/sizes, hidden)‏ • in registry • in startup areas • in services list • in network connections • Abnormality: function, performance, traffic patterns • Cross-check with multiple tools

  15. Microsoft Tools • Basic • Prevent: Windows Update, Time Service, Routing and Remote Access, LocalService, NetworkService, Runas • Inspect: net user/group/localgroup, Active Directory Users and Groups, Event Viewer, EventCombMT, systeminfo, auditpol, Security Configuration Manager • Fix: Malicious Software Removal, Security Configuration Manager • Network tools • netstat -anob, nbtstat, ping, tracert, arp, netsh, ipconfig • File • dir /ah, dir /od, dir /tc, findstr, cacls • Services • net start/stop, sc, services.msc • Process: • tasklist, taskkill, schtasks

  16. External Tools • www.sysinternals.com • variety of Windows tools to monitor and analyze • www.e-fense.com: Helix • Windows tools • Windows Forensics Toolkit™ • trusted commands • RAM/disk imaging, password recovery tools • some www.sysinternals.com tools • bootable to Knoppix with many file system tools • www.rootkit.com

  17. Advice • For your systems: • Prevent: • update, monitor, block, isolate, backup • Analyze: • find vectors and payloads • Recover: • off-network restore, re-install or re-image • block vectors and/or payload effects before going on-network

  18. References • Windows Forensics and Incident Recovery, Harlan Carvey, Addison-Wesley 2005 • Windows Forensic Analysis DVD Toolkit , Harlan Carvey, Syngress 2007 • File System Forensic Analysis,Brian Carrier, Addison-Wesley 2005 • Rootkits, Greg Hoglund and James Butler, Addison-Wesley 2006

More Related