1 / 53

Extracting Evidence from a Life System: Volatility Analysis Toolkit

Learn advanced computer forensic techniques for extracting evidence from volatile data in Windows systems. Plan investigations, create response toolkits, and store obtained data securely. Detect and delete Trojans using specialized tools.

yfields
Download Presentation

Extracting Evidence from a Life System: Volatility Analysis Toolkit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. COEN 250 Computer Forensics Windows Life Analysis

  2. Extracting Evidence from a Life System Degrees of Volatility of Data. • Gathering more volatile data versus • Safer forensics procedures.

  3. Extracting Evidence from a Life System • Plan investigation. • Evidence gathering differs: • Unacceptable web-surfing. • Intellectual property rights theft. • Compromised system.

  4. Extracting Evidence from a Life System • Response Toolkit • Collection of Trusted Tools. • Stored on removable media. • Floppies • CD

  5. Response Toolkit • Determine the tools needed. • Create Toolkit. • Check dependencies on DLL and other files. Include those in toolkit. • Include file authentication tool such as MD5.

  6. Response Toolkit: cmd.exe Built-in command prompt.

  7. Response Toolkit netstat • Enumerates all listening ports and all connections to those ports. Suspicious connection? (No, windows messenger.)

  8. Response Toolkit rasusers • Which users have remote access privileges on the target system.

  9. Response Toolkit Fport • Finds open TCP/IP and UDP ports and maps them to the owning application

  10. Response Toolkit: pslist

  11. Resource Tools ListDLLs

  12. Resource Toolkit: nbtstat

  13. Resource Toolkit: arp

  14. Resource Toolkit: kill • Get it from the Windows NT Resource Kit. • Terminates processes via process number.

  15. Recourse Toolkit: md5sum • Creates MD5 hashes for a file.

  16. Resource Toolkit: PsLogList • Dumps the event log list.

  17. Resource Toolkit: PsInfo Local System built.

  18. Remote Toolkit: PsFile

  19. Remote Toolkit: PsLoggedOn

  20. Resource Toolkit: PsService

  21. Resource Toolkit: regdump

  22. Preparing the Toolkit • Label the toolkit. • Check for dependencies with Filemon. • Lots of dependencies => lots of MAC changes. • Create an MD5 of the toolkit. • Write protect any floppies.

  23. Storing Obtained Data • Save data on the hard drive of target.  (Modifies System.) • Record data by hand.  • Save data on removable media.  • Includes USB storage. • Save data on a remote system with netcat or cryptcat. 

  24. Storing Obtained Data with netcat • Quick on, quick off target system. • Allows offline review. • Establish a netcat listener on the forensic workstation. Redirect into a file. • Establish a netcat funneler on the target system to the forensic workstation. • Cryptcat does the same, but protects against sniffing.

  25. Obtaining Volatile Data Store at least • System date and time. • List of current users. • List of current processes. • List of currently open sockets. • Applications listed on open socket. • List of systems with current or recent connections to the system.

  26. Obtaining Volatile Data: Procedure • Execute a trusted cmd.exe • Record system time and date. • Determine who is logged on. • Record file MAC. • Determine open ports. • List all apps associated with open ports.

  27. Obtaining Volatile Data: Procedure • List all running processes. • List current and recent connections. • Record the system time and date. • Document the commands used during initial response.

  28. Recording System Time

  29. Determining Logons

  30. Determining File MAC

  31. Determining Open Ports

  32. Listing Applications with Open Ports

  33. Listing all running processes

  34. List current connections

  35. List current connections

  36. Documenting history

  37. Scripting the response

  38. Scripting the response

  39. Examples • Use Fport to look at open ports. • Use a list of ports to find suspicious ports, i.e. those used by known Trojans, sniffers or spyware. www.doshelp.com/trojanports.htm

  40. Examples • If at your home system, fport shows a suspicious port use and netstat shows a current connection to this port, then kill the process.

  41. Examples • Knowing what processes are running does not do you any good. • You need to know what they are doing. • At least, know the typical processes.

  42. Examples • Access the registry with RegDump • Then study it with regedit on the forensic system.

  43. Examples Assume generic monitoring of systems. Look for • Unusual resource utilization or process behavior. • Missing processes. • Added processes. • Processes with unusual user identification.

  44. Examples • The windows task manager can be very helpful.

  45. Examples: Detecting and Deleting Trojans • Use port scanning tools, either on host machine or remote machine. • Fport (Windows) • Superscan (Windows) • Nmap • netstat (for open connections)

  46. Examples: Detecting and Deleting Trojans • Identify the Trojan on the disk. • Find out how it is being initiated and prevent the process. • Reboot the machine and delete the Trojan.

  47. Example • Run superscan on local host to check for open ports. • What is happening at port 5000?

  48. Example Port 5000?

  49. Example • Run fport. • Connected to process 1260.

  50. Example • Use pllist to find out what this is. • Connected to a process called svchost.

More Related