live data collection from windows system l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Live Data Collection from Windows System PowerPoint Presentation
Download Presentation
Live Data Collection from Windows System

Loading in 2 Seconds...

play fullscreen
1 / 34
libby

Live Data Collection from Windows System - PowerPoint PPT Presentation

134 Views
Download Presentation
Live Data Collection from Windows System
An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Live Data Collection from Windows System

  2. Outline • Preface • Creating a Response Toolkit • Storing Information Obtained during the Initial Response • Obtaining Volatile Data • Performing an In-Depth Live Response

  3. Outline • Preface • Creating a Response Toolkit • Storing Information Obtained during the Initial Response • Obtaining Volatile Data • Performing an In-Depth Live Response

  4. Preface • The goal of an initial response: • Confirm there is an incident • Retrieve the system’s volatile data • OS: • Windows NT/2000/XP

  5. Outline • Preface • Creating a Response Toolkit • Storing Information Obtained during the Initial Response • Obtaining Volatile Data • Performing an In-Depth Live Response

  6. What is important • Don’t affecting any potential evidence • Prepare a complete response toolkit • A live investigation is not the time to create or test your toolkit for the first time!!!

  7. The Utility (I)

  8. The Utility (II)

  9. Preparing the Toolkit • Label the response toolkit media • Case number • Time and date • Name of the investigator who created the response media • Name of the investigator using the response media

  10. Preparing the toolkit • Check for dependencies with Filemon • Determine which DLLs and files your response tools depend on • Create a checksum for the response toolkit • md5sum • Write-protect any toolkit floppies

  11. Outline • Preface • Creating a Response Toolkit • Storing Information Obtained during the Initial Response • Obtaining Volatile Data • Performing an In-Depth Live Response

  12. Prelim • “live”: power on • Four options when retrieving information from a live system • The hard drive of the target system • In a notebook • Response floppy disk or other removable media • Remote forensic system using netcat or cryptcat

  13. Transferring Data with netcat • Two advantage • Get on and off the target system quickly • Perform an offline review

  14. Transferring Data with netcat 2 3 1 Time date loggedon fport pslist nbtstat -c NT System Forensic System 1: Run trusted commands on NT Server 2: Send output to forensics box via netcat 3: Perform off-line review md5sum output files

  15. Transferring Data with netcat • Forensic workstation • Target system

  16. Encrypting Data with cryptcat • Has the same syntax and functions as the netcat command • Sniffer cannot compromise the information you obtain • Eliminates the risk of contamination or injection of data • Two-man integrity rule

  17. Outline • Preface • Creating a Response Toolkit • Storing Information Obtained during the Initial Response • Obtaining Volatile Data • Performing an In-Depth Live Response

  18. Collect the important information • At minimum, volatile data prior to forensic duplication • System date and time • A list of the users who are currently logged on • Time/date stamps for the entire file system • A list of the currently running processes • A list of the currently open sockets • The applications listening on open sockets • A list of the systems that have current or had recent connections to the system

  19. Organizing and Documenting Your Investigation

  20. Collecting Volatile Data • Top-ten list of the steps to use for data collection • Execute a trusted cmd.exe • Record the system time and date • Determine who is logged in to the system (and remote-access users, if applicable) • PsLoggedOn • rasusers • Record modification, creation, and access times of all files • dir /?

  21. Collecting Volatile Data • Determine open ports • netstat • List applications associated with open ports • Fport • winpop.exeNetbus trojan • windll.exeGirlFriend trojan • List all running processes • Pslist • List current and recent connections • netstat • arp • nbtstat

  22. Collecting Volatile Data • Record the system time and date • Sandwich your data-retrieval commands between time and date commands • Document the commands used during initial response • doskey /history • Scripting your initial response

  23. Outline • Preface • Creating a Response Toolkit • Storing Information Obtained during the Initial Response • Obtaining Volatile Data • Performing an In-Depth Live Response

  24. Don’t affect your system • Find evidence and properly remove rogue programs without disrupting any services

  25. Creating an In-Depth Response Toolkit

  26. Collecting Live Response Data • Two key sources of evidence on Windows NT/2000 • The event logs • The Registry • Four approach to obtain quite a bit of information • Review the event logs • Review the Registry • Obtain system passwords • Dump system RAM

  27. Review the event logs • auditpol • NTLast • dumpel

  28. Successful logons

  29. Enumerate failed console logons

  30. List all successful logons from remote systems

  31. Review the Registry • regdump • Create an enormous text file of the Registry • reg query • Extract just the Registry key values of interest

  32. Obtaining System Passwords • pwdump3e • Dump the passwords from the Security Accounts Manager (SAM) database

  33. Dumping System RAM • userdump.exe (MS OEM Support Tools) • Two types of memory • User mode (application) memory • Full-system memory