1 / 85

COEN 250 Computer Forensics

COEN 250 Computer Forensics. Windows Life Analysis. Extracting Evidence from a Life System. Degrees of Volatility of Data. Gathering more volatile data versus Safer forensics procedures. Extracting Evidence from a Life System. Life Examination is done: To quickly access the situation

sparsons
Download Presentation

COEN 250 Computer Forensics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. COEN 250 Computer Forensics Windows Life Analysis

  2. Extracting Evidence from a Life System Degrees of Volatility of Data. • Gathering more volatile data versus • Safer forensics procedures.

  3. Extracting Evidence from a Life System Life Examination is done: • To quickly access the situation • Confirmation of incident. • To retrieve volatile data • Such as network connections, running processes, etc.

  4. Extracting Evidence from a Life System Initial response must not destroy potential evidence. • Use only trusted tools on a response toolkit. • Document results. • Notebook  • Hard Drive of target system  • Removable media connected to target drive  • Other system using netcat or cryptcat 

  5. Extracting Evidence from a Life System • Plan investigation. • Evidence gathering differs according to incidence: • Unacceptable web-surfing. • Intellectual property rights theft. • Compromised system.

  6. Extracting Evidence from a Life System • Response Toolkit • Collection of Trusted Tools. • Stored on removable media. • Floppies (write-protected) • CD • Thumbdrive (write-protected)

  7. Response Toolkit • Determine the tools needed. • Create Toolkit. • Check dependencies on DLL and other files. Include those in toolkit. • Include a file authentication tool such as MD5.

  8. Target Volatile Information • Volatile Information generally consists of: • System time • Logged on users • Process information • Network connections • Network status • Clipboard contents • Command history • Service / driver information

  9. Tools A collection of free tools

  10. Response Toolkit: cmd.exe Built-in command prompt should be included in the toolkit.

  11. Response Toolkit • Tool Collection • System & Time • Logged on Users • Process Information • Network and Port Information

  12. Response Toolkit: Time and date • Built-in: • date /t • time /t • Systeminfo.exe gives uptime with a lot of other details. • Perl: • print localtime(time) “\n”;

  13. Response Toolkit • Logged on / remotely logged on users: • PsLoggedOn (see below) • Netusers from Somarsoft • Net session (native to windows) • rasusers (see below)

  14. Response Toolkit rasusers • Which users have remote access privileges on the target system.

  15. Response Toolkit PsLoggedOn

  16. Response Toolkit • Process Information

  17. Response Toolkit • Pulist (from resource kit) • PsList

  18. Response Toolkit • ListDLL

  19. Response Toolkit Handle gives all handles

  20. Response Toolkit Tlist is part of the Microsoft debugging tools.

  21. Response Toolkit • Cmdline from Diamond CS displays all processes with their arguments.

  22. Response Toolkit PmDump dumps memory of a process.

  23. Response Toolkit • dd for windows dumps the contents of main memory into a file.

  24. Response Toolkit Clipboard contents can be dumped with a small perl script: use Win32::Clipboard; print Win32::Clipboard->Get(), "\n";

  25. Response Toolkit • Doskey /history

  26. Response Toolkit • SC.exe communicates with the NT Service Controller

  27. Response Toolkit • Windows has “protected storage”. • Used to store authentication data, … • Use PStoreView to access it.

  28. Response Toolkit • PsService views services:

  29. Response Toolkit • PsInfo contains interesting system data including the uptime

  30. Resource Toolkit: kill • Get it from the Windows NT Resource Kit. • Terminates processes via process number.

  31. Response Toolkit • Network and Port Information

  32. Response Toolkit netstat • Enumerates all listening ports and all connections to those ports.

  33. Response Toolkit Fport • Finds open TCP/IP and UDP ports and maps them to the owning application

  34. Response Toolkit ipconfig

  35. Response Toolkit • Promiscdetect • Figures out whether network card is in promiscuous mode.

  36. Resource Toolkit: nbtstat

  37. Response Toolkit • psfile

  38. Response Toolkit • openports

  39. Resource Toolkit: arp

  40. Recourse Toolkit: md5sum • Creates MD5 hashes for a file.

  41. Resource Toolkit: PsLogList • Dumps the event log list.

  42. Resource Toolkit: PsInfo Local System built.

  43. Remote Toolkit: PsFile

  44. Resource Toolkit: PsService

  45. Resource Toolkit • Analyzing files • String.exe • Bintext.exe • Dependency Walker • File Date Time Extractor for Windows Word • …

  46. Resource Toolkit: regdump

  47. Accessing Important Files • Files such as logs contain valuable data. • Before accessing a file, safeguard the MAC times: • Use Perl’s stat function • Use the dir command three times: • C:\dir /tw c:\windows\system32\svchost.exe • C:\dir /ta c:\windows\system32\svchost.exe • C:\dir /tc c:\windows\system32\svchost.exe • In NTFS, preserve owner and permissions of file with various tools.

  48. Accessing Important Files • Recycle Bin • Exists in the root of each drive as a hidden directory • To see contents: • Go to the root of the drive • Type dir /ah and go to the recycler directory

  49. Accessing Important Files • Recycle Bin

  50. Accessing Important Files • Recycle Bin • The directories listed are the SIDs of the local users on the system. • There is a hidden file called INFO2 that contains data about the move of files into the recycle bin. • Rifiuti (Foundstone) will parse the file.

More Related