Windows Forensics 24 Jan 2008 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator.

Slides:

Advertisements

Similar presentations

Objectives Overview Define an operating system

Advertisements

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Support for Windows 7 Chapter 2 Securing and Troubleshooting Windows 7.

Discovering Computers Fundamentals, Third Edition CGS 1000 Introduction to Computers and Technology Fall 2006.

Managing Your Network Environment © 2004 Cisco Systems, Inc. All rights reserved. Managing Cisco IOS Devices INTRO v2.0—9-1.

Installing Windows XP Professional Using Attended Installation Slide 1 of 35Session 9 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

COEN 250 Computer Forensics Windows Life Analysis.

Professor Michael J. Losacco CIS 1110 – Using Computers Operating Systems & Utility Programs Chapter 7.

UW Security Policy and Implementation 26 Apr 2010 TINFO 340: Information Assurance Stephen Rondeau Institute of Technology Labs Administrator.

UW Information Systems Security Policy Stephen Rondeau Institute of Technology Computing Labs Administrator 18 Nov 2005.

Windows Forensics 10 Apr 2007 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator.

1 Operating Systems Ch An Overview. Architecture of Computer Hardware and Systems Software Irv Englander, John Wiley, Bare Bones Computer.

Week:#14 Windows Recovery

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

COEN 252: Computer Forensics Router Investigation.

MDOP 2010: Diagnostic and Recovery Toolset (DaRT) Speaker Fabrizio Grossi

Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Chapter 8 Operating Systems and Utility Programs By: James Granahan.

Windows XP Administration: The Basics An Institute of Technology Labs Basic Skills Seminar.

Capturing Computer Evidence Extracting Information.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.

Ch 11 Managing System Reliability and Availability 1.

Course ILT Security Unit objectives Configure operating system and file system security Install a fingerprint scanner and card reader Manage the human.

Operating Systems Operating System

Operating Systems Review. 5 Purposes of an Operating System Provide User Interface Communicate with Hardware Create and Manage a File System Network Support.

®® Microsoft Windows 7 for Power Users Tutorial 8 Troubleshooting Windows 7.

By, Anish Shanmugasundaram Yashwanth Sainath Jammi.

Hands-On Microsoft Windows Server 2008

With Microsoft Windows 7© 2012 Pearson Education, Inc. Publishing as Prentice Hall1 PowerPoint Presentation to Accompany GO! with Microsoft ® Windows 7.

Networking Security Chapter 8 powered by dj. Chapter Objectives  Explain various security threats  Monitor security in Windows Vista  Explain basic.

© 2008 Cisco Systems, Inc. All rights reserved.CIPT1 v6.0—2-1 Administering Cisco Unified Communications Manager Understanding Cisco Unified Communications.

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e Chapter 7 Fixing Windows Problems.

Managing Windows Server 2008 R2 Lesson 2. Objectives.

Chapter Fourteen Windows XP Professional Fault Tolerance.

Rootkits. EC-Council The Problem  Microsoft Corp. security researchers are warning about a new generation of powerful system-monitoring programs, or.

Hands-On Microsoft Windows Server 2008 Chapter 12 Managing System Reliability and Availability.

University of Management & Technology 1 Operating Systems & Utility Programs.

Explain the purpose of an operating system

Module 7: Fundamentals of Administering Windows Server 2008.

Operating System Security. OS manages and controls access to hardware components Older OSs focused on ensuring data confidentiality Modern operating systems.

Module 1: Installing and Configuring Servers. Module Overview Installing Windows Server 2008 Managing Server Roles and Features Overview of the Server.

Chapter 8: Operating Systems and Utility Programs Catherine Gifford Dan Falgares.

Introduction to Computer Administration Course Supervisor: Muhammad Saeed.

When Your Dog Can’t Help You: Malware in the Home Stephen Rondeau Institute of Technology 7 May 2008.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Module 15 Managing Windows Server® 2008 Backup and Restore.

Forensic Procedures 1. Assess the situation and understand what type of incident or crime is to be investigated. 2. Obtain senior management approval to.

CSCI 1033 Computer Hardware Course Overview. Go to enter TA in the “Enter Promotion Code” box on the bottom right corner.

Managing Applications, Services, Folders, and Libraries Lesson 4.

IT1001 – Personal Computer Hardware & system Operations Week7- Introduction to backup & restore tools Introduction to user account with access rights.

Internet safety By Suman Nazir

CSC190 Introduction to Computing Operating Systems and Utility Programs.

NETWORKING & SYSTEM UPDATES

Chapter 9 Operating Systems Discovering Computers Technology in a World of Computers, Mobile Devices, and the Internet.

CITA 171 Section 1 DOS/Windows Introduction. DOS Disk operating system (DOS) –Term most often associated with MS-DOS –Single-tasking operating system.

CHAPTER 3 Router CLI Command Line Interface. Router User Interface User and privileged modes User mode --Typical tasks include those that check the router.

By the end of this lesson you will be able to: 1. Determine the preventive support measures that are in place at your school.

CHAPTER 7 Operating System Copyright © Cengage Learning. All rights reserved.

DISCOVERING COMPUTERS 2018 Digital Technology, Data, and Devices

Chapter Objectives In this chapter, you will learn:

A+ Guide to Managing and Maintaining Your PC, 7e

Press ESC for Startup Options © Microsoft Corporation.

Windows Server Administration Fundamentals

1.3 Given a scenario, apply appropriate Microsoft command line tools

Windows 10 An Operating System

Presentation transcript:

Windows Forensics 24 Jan 2008 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator

Agenda Forensics Background Operating Systems Review Select Windows Features Vectors and Payloads Forensics Process Forensics Tools Demonstration

Forensics Background Inspection of computer system for evidence of:  crime  unauthorized use Evidence gathering/preservation techniques for admissibility in court of law Consideration of suspect's level of expertise Avoidance of data destruction or compromise

Operating System Review What does an OS do?

Operating System Review What does an OS do?  starts itself  low-level management of: interrupts, time, memory, processes, devices (storage, communication, keyboard, display, etc.)‏  higher-level management of: file system, users, user interface, apps  addresses issues of fairness, efficiency, data protection/access, workload balancing

Select Windows Features Kernel vs. User Mode Kernel features (architecture)‏architecture  device drivers  installable file system  object security Services User accounts, passwords and privileged groups Security policies

Computing Devices: Simplistic Computing Device  takes some input  processes it OS, services, applications  provides some output Network  connects device Data Computing Device input output Hub

Computing Devices: Reality Human K/M/touch,etc. Data Scanner/GPS Data Storage Device, PC/Express Card, Network, Printer, Etc. In Out In/Out Human A/V

Computing Devices: Connections removable media  floppy,CD/DVD,flash,microdrive PC/Express Card wired  serial/parallel,USB,Firewire,IDE/SATA,SCSI/SAS  twisted pair wireless  radio (802.11, cellular, Bluetooth)‏  Infrared (IR)‏  Ultrasound

Vectors and Payloads Vector: route used to gain entry to computer  via a device without human intervention  via an unsuspecting or willing person's actions Payload: what is delivered via the vector  malicious code  may be multiple payloads  spyware, rootkits, keystroke loggers, bots, illegal software, spamming, etc.

Forensics Process Assess (after permission is granted)‏  determine how to approach affected system(s)‏  inspect physical environment  watch out for anti-forensics, booby-traps  consider how to stop computer processing Acquire  capture volatile data  copy hard drive Analyze

Volatile Data All of RAM, plus paging area Logged on users Processes (regular and services)‏ Process memory Buffers Clipboard Network Information (incoming and outgoing)‏ Command history

Nonvolatile Data Partitions Files  hidden, streams Registry Keys Recycle Bin Scheduled Tasks User Account and Group Information Logs

What to Look For Know baseline system: what to expect of good system Malware Footprint  in logs  on file system (changed dates/sizes, hidden)‏  in registry  in startup areas  in services list  in network connections Abnormality: function, performance, traffic patterns Cross-check with multiple tools

Microsoft Tools Basic Prevent: Windows Update, Time Service, Routing and Remote Access, LocalService, NetworkService, Runas Inspect: net user/group/localgroup, Active Directory Users and Groups, Event Viewer, EventCombMT, systeminfo, auditpol, Security Configuration Manager Fix: Malicious Software Removal, Security Configuration Manager Network tools netstat -anob, nbtstat, ping, tracert, arp, netsh, ipconfig File dir /ah, dir /od, dir /tc, findstr, cacls Services net start/stop, sc, services.msc Process: tasklist, taskkill, schtasks

External Tools  variety of Windows tools to monitor and analyze Helix  Windows tools Windows Forensics Toolkit™ trusted commands RAM/disk imaging, password recovery tools some toolswww.sysinternals.com  bootable to Knoppix with many file system tools

Advice For your systems:  Prevent: update, monitor, block, isolate, backup  Analyze: find vectors and payloads  Recover: off-network restore, re-install or re-image block vectors and/or payload effects before going on- network

References Windows Forensics and Incident Recovery, Harlan Carvey, Addison-Wesley 2005 Windows Forensic Analysis DVD Toolkit, Harlan Carvey, Syngress 2007 File System Forensic Analysis,Brian Carrier, Addison-Wesley 2005 Rootkits, Greg Hoglund and James Butler, Addison-Wesley 2006