Jai, 2004 Incident Response & Computer Forensics Chapter 5 Live Data Collection from Windows System Information Networking Security and Assurance Lab National.

Slides:



Advertisements
Similar presentations
Intel® RPIER 3.1 User Training Joe Schwendt Steve Mancini 7/31/2006.
Advertisements

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
COEN 250 Computer Forensics Unix System Life Response.
Module 1: Installing Windows XP Professional
SYSTEM ADMINISTRATION Chapter 19
COEN 250 Computer Forensics Windows Life Analysis.
COEN 250 Computer Forensics Windows Life Analysis.
Information Networking Security and Assurance Lab National Chung Cheng University Investigating Hacker Tools.
A+ Guide to Software, 4e Chapter 4 Supporting Windows 2000/XP Users and Their Data.
2004, Jei Tripwire An Intrusion Detection Tool Information Networking Security and Assurance Lab National Chung Cheng University.
Information Networking Security and Assurance Lab National Chung Cheng University Nessus A Vulnerability Assessment tool A Security Scanner Information.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
Security SIG: Introduction to Tripwire Chris Harwood John Ives.
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
Understanding Networks I. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.
Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Windows System.
Information Networking Security and Assurance Lab National Chung Cheng University Investigating Unix System.
2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.
Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems.
COEN 252: Computer Forensics Router Investigation.
Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
Module 2: Planning to Install SQL Server. Overview Hardware Installation Considerations SQL Server 2000 Editions Software Installation Considerations.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Privilege Levels Cisco IOS provides for 16 different privilege levels ranging from 0 to 15. Cisco IOS comes with 2 predefined user levels. User mode.
Capturing Computer Evidence Extracting Information.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.
Hacking Windows 2K, XP. Windows 2K, XP Review: NetBIOS name resolution. SMB - Shared Message Block - uses TCP port 139, and NBT - NetBIOS over TCP/IP.
Ch 11 Managing System Reliability and Availability 1.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
Chapter 6 Enumeration Modified Objectives  Describe the enumeration step of security testing  Enumerate Microsoft OS targets  Enumerate NetWare.
Forensic Artifacts From A Pass The Hash (PtH) Attack
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.
How to discover ephemeral evidence with Live RAM analysis.
Windows This presentation is an amalgam of presentations by Mark Michael, Randy Marchany and Ed Skoudis. I have edited and added material. Dr. Stephen.
Hands-On Microsoft Windows Server 2008
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
File Recovery and Forensics
Live Forensics Investigations Computer Forensics 2013.
Module 7: Fundamentals of Administering Windows Server 2008.
20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
Chapter 3 Installing Windows XP Professional. Preparing for installation Pre-installation requirement; ◦ Hardware requirements ◦ Hardware compatibility.
A+ Guide to Managing and Maintaining Your PC Fifth Edition Chapter 13 Understanding and Installing Windows 2000 and Windows NT.
COEN 250 Computer Forensics Windows Life Analysis.
Tool Names: 1. VISION 2. PASCO 3. GALLETA. Tool 1 VISION.
Breno de MedeirosFlorida State University Fall 2005 Windows servers The NT security model.
Hour 7 The Application Layer 1. What Is the Application Layer? The Application layer is the top layer in TCP/IP's protocol suite Some of the components.
1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.
Module 1: Installing Microsoft Windows XP Professional.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
COEN 250 Computer Forensics Windows Life Analysis.
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
IST 222 Day 3. Homework for Today Take up homework and go over Go to Microsoft website and check out their hardware compatibility list.
COEN 250 Computer Forensics Unix System Life Response.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
Chapter 1 Real World Incidents Spring Incident Response & Computer Forensics.
Module 14: Advanced Topics and Troubleshooting. Microsoft ® Windows ® Small Business Server (SBS) 2008 Management Console (Advanced Mode) Managing Windows.
Chapter 5 Server Installation NT Server Requirements NT Server File Systems Installation.
Mastering Windows Network Forensics and Investigation Chapter 6: Live Analysis Techniques.
Chapter 7 Live Data Collection Spring Incident Response & Computer Forensics.
By Daniel Grim. What Is Windows NT? IPSEC/Windows Firewall NTFS File System Registry Permissions Managing User Accounts Conclusion Outline.
UTSA IS 6353 Security Incident Response
Hacking Windows.
Module Overview Installing and Configuring a Network Policy Server
Presentation transcript:

Jai, 2004 Incident Response & Computer Forensics Chapter 5 Live Data Collection from Windows System Information Networking Security and Assurance Lab National Chung Cheng University

Outline Preface Creating a Response Toolkit Storing Information Obtained during the Initial Response Obtaining Volatile Data Performing an In-Depth Live Response Information Networking Security and Assurance Lab National Chung Cheng University

Outline Preface Creating a Response Toolkit Storing Information Obtained during the Initial Response Obtaining Volatile Data Performing an In-Depth Live Response Information Networking Security and Assurance Lab National Chung Cheng University

Preface The goal of an initial response:  Confirm there is an incident  Retrieve the system’s volatile data OS:  Windows NT/2000/XP Information Networking Security and Assurance Lab National Chung Cheng University

Outline Preface Creating a Response Toolkit Storing Information Obtained during the Initial Response Obtaining Volatile Data Performing an In-Depth Live Response Information Networking Security and Assurance Lab National Chung Cheng University

Preface Don’t affecting any potential evidence  Prepare a complete response toolkit A live investigation is not the time to create or test your toolkit for the first time!!! Information Networking Security and Assurance Lab National Chung Cheng University

cmd.exeThe command prompt for Windows NT/2000/XP Built in PsLoggedOnA utility that shows all users connected locally and remotely rasusersShow which users have remote- access privilege on the target system NT Resource Kit (NTRK) netstatEnumerate all listening ports and all current connections to those ports Built in FportEnumerate all processes that opened any TCP/IP ports on a windows NT/2000/XP PslistEnumerate all running processes on the target system ListDLLsList all running processes (command-line argument, DLLs) nbtstatList the recent NetBIOS connections for approximately the last 10 mins Built in arpShow the MAC addresses of the systems that the target system has been communicating Built in killTerminate a processNTRK

md5sumCreate MD5 hashes for a given file rmtshareDsiplay the shares accessible on a remote machine NTRK netcatCreate a communication channel between two different systems /network_utilities cryptcatCreate an encrypted channel of communication ryptcat PsLogListDump the contents of the event logs ipconfigDisplay interface configuration information Built in PsInfoCollect information about the local system built PsFileShow files that are opened remotely PsServiceShow information about current processes and threads auditpolDisplay the current security audit settings NTRK doskeyDisplay the command history for an open cmd.exe shell Built in

Preparing the Toolkit Label the response toolkit media  Case number  Time and date  Name of the investigator who created the response media  Name of the investigator using the response media Information Networking Security and Assurance Lab National Chung Cheng University

Preparing the toolkit Check for dependencies with Filemon  Determine which DLLs and files your response tools depend on Create a checksum for the response toolkit  md5sum Write-protect any toolkit floppies Information Networking Security and Assurance Lab National Chung Cheng University

Outline Preface Creating a Response Toolkit Storing Information Obtained during the Initial Response Obtaining Volatile Data Performing an In-Depth Live Response Information Networking Security and Assurance Lab National Chung Cheng University

Preface “live”: power on Four options when retrieving information from a live system  The hard drive of the target system  In a notebook  Response floppy disk or other removable media  Remote forensic system using netcat or cryptcat Information Networking Security and Assurance Lab National Chung Cheng University

Transferring Data with netcat Two advantage  Get on and off the target system quickly  Perform an offline review Information Networking Security and Assurance Lab National Chung Cheng University

Transferring Data with netcat NT System Forensic System Time date loggedon fport pslist nbtstat -c : Run trusted commands on NT Server 2: Send output to forensics box via netcat 3: Perform off-line review md5sum output files

Transferring Data with netcat Forensic workstation Target system Information Networking Security and Assurance Lab National Chung Cheng University

Encrypting Data with cryptcat Has the same syntax and functions as the netcat command  Sniffer cannot compromise the information you obtain  Eliminates the risk of contamination or injection of data Two-man integrity rule Information Networking Security and Assurance Lab National Chung Cheng University

Outline Preface Creating a Response Toolkit Storing Information Obtained during the Initial Response Obtaining Volatile Data Performing an In-Depth Live Response Information Networking Security and Assurance Lab National Chung Cheng University

Preface At minimum, volatile data prior to forensic duplication  System date and time  A list of the users who are currently logged on  Time/date stamps for the entire file system  A list of the currently running processes  A list of the currently open sockets  The applications listening on open sockets  A list of the systems that have current or had recent connections to the system Information Networking Security and Assurance Lab National Chung Cheng University

Organizing and Documenting Your Investigation Start TimeCommand LineTrustedUntrustedMD5 Sum of Output Comme nts 12:15:22type lmhosts | nc X3d2e531d.655 3ee93e eef3 12:15:27pslist | nc X1ded672ba8b 2ebf5beef fe8 12:15:32netstat –an | nc X52285a efe eef3 Information Networking Security and Assurance Lab National Chung Cheng University

Collecting Volatile Data Top-ten list of the steps to use for data collection  Execute a trusted cmd.exe  Record the system time and date  Determine who is logged in to the system (and remote-access users, if applicable) PsLoggedOn rasusers  Record modification, creation, and access times of all files dir /?

Collecting Volatile Data  Determine open ports netstat  List applications associated with open ports Fport winpop.exe  Netbus trojan windll.exe  GirlFriend trojan  List all running processes Pslist  List current and recent connections netstat arp nbtstat

Collecting Volatile Data  Record the system time and date Sandwich your data-retrieval commands between time and date commands  Document the commands used during initial response doskey /history Scripting your initial response Information Networking Security and Assurance Lab National Chung Cheng University

Outline Preface Creating a Response Toolkit Storing Information Obtained during the Initial Response Obtaining Volatile Data Performing an In-Depth Live Response

Preface Find evidence and properly remove rogue programs without disrupting any services Information Networking Security and Assurance Lab National Chung Cheng University

Creating an In-Depth Response Toolkit auditpolDetermin the audit policy on a system NTRK regDump specific information (keys) within the NT/2000 Registry NTRK regdumpDump the Registry as a text fileNTRK pwdump3eDump the SAM database so that the passwords can be cracked l NTLastMonitor successful and failed logons to a system SfindDetect files hidden within NTFS file streams AfindSearch a file system to determine files accessed during specific timeframes dumpelDump the NT/2000 event logsNTRK

Collecting Live Response Data Two key sources of evidence on Windows NT/2000  The event logs  The Registry Four approach to obtain quite a bit of information  Review the event logs  Review the Registry  Obtain system passwords  Dump system RAM

Review the event logs auditpol NTLast dumpel Information Networking Security and Assurance Lab National Chung Cheng University

Successful logons Information Networking Security and Assurance Lab National Chung Cheng University

Enumerate failed console logons Information Networking Security and Assurance Lab National Chung Cheng University

List all successful logons from remote systems Information Networking Security and Assurance Lab National Chung Cheng University

Review the Registry regdump  Create an enormous text file of the Registry reg query  Extract just the Registry key values of interest Information Networking Security and Assurance Lab National Chung Cheng University

Obtaining System Passwords pwdump3e  Dump the passwords from the Security Accounts Manager (SAM) database Information Networking Security and Assurance Lab National Chung Cheng University

Dumping System RAM userdump.exe (MS OEM Support Tools) Two types of memory  User mode (application) memory  Full-system memory Information Networking Security and Assurance Lab National Chung Cheng University

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.