COEN 250 Computer Forensics Windows Life Analysis.

Slides:



Advertisements
Similar presentations
Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
Advertisements

COEN 250 Computer Forensics Unix System Life Response.
Cosc 4765 Windows Forensics Techniques. A case study First this lecture should not be confused with Computer Forensics for criminal prosecution. –That.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Section 3.2: Operating Systems Security
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
COEN 250 Computer Forensics Windows Life Analysis.
COEN 250 Computer Forensics Windows Life Analysis.
Forensic Analysis Torres, Ricardo. It’s A Matter Of Time Security is a deterrence not a guarantee. “Computer forensics defined: Preservation, identification,
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
Jai, 2004 Incident Response & Computer Forensics Chapter 5 Live Data Collection from Windows System Information Networking Security and Assurance Lab National.
Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.
Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Windows System.
Whodunit? Beginning the cyber investigation. Addresses MAC address Network card (NIC interface card) Identifies a physical device.. The card!!! This is.
2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.
Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems.
COEN 252: Computer Forensics Router Investigation.
Chapter 14: Computer and Network Forensics
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Data Acquisition Chao-Hsien Chu, Ph.D.
NovaBACKUP 10 xSP Technical Training By: Nathan Fouarge
Capturing Computer Evidence Extracting Information.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
COEN 252 Computer Forensics Windows Evidence Acquisition Boot Disk.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
Administering Windows 7 Lesson 11. Objectives Troubleshoot Windows 7 Use remote access technologies Troubleshoot installation and startup issues Understand.
What is FORENSICS? Why do we need Network Forensics?
6.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 6: Administering User Accounts.
ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.
COEN 252 Computer Forensics Collecting Network-based Evidence.
Live Forensics Investigations Computer Forensics 2013.
COEN 250 Computer Forensics Windows Life Analysis.
Tool Names: 1. VISION 2. PASCO 3. GALLETA. Tool 1 VISION.
Hacker’s Strategies Revealed WEST CHESTER UNIVERSITY Computer Science Department Yuchen Zhou March 22, 2002.
1 Chapter Overview Preparing to Upgrade Performing a Version Upgrade from Microsoft SQL Server 7.0 Performing an Online Database Upgrade from SQL Server.
Configuring Data Protection Chapter 12 powered by dj.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Lecture #4 Data Acquisition September 8, 2008.
Mastering Windows Network Forensics and Investigation Chapter 10: Tool Analysis.
Chapter 5 Processing Crime and Incident Scenes Guide to Computer Forensics and Investigations Fourth Edition.
1 Lab 12: Spyware A Window’s User’s Worst Nightmare.
Thomas Schwarz, S.J. SCU Comp. Eng COEN 252 Collection of Evidence.
Thomas Schwarz, S.J. SCU Comp. Eng COEN 252 Collection of Evidence.
Page 1 Printing & Terminal Services Lecture 8 Hassan Shuja 11/16/2004.
 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.
Computer Forensics Presented By:  Anam Sattar  Anum Ijaz  Tayyaba Shaffqat  Daniyal Qadeer Butt  Usman Rashid.
COEN 250 Computer Forensics Unix System Life Response.
IT1001 – Personal Computer Hardware & system Operations Week7- Introduction to backup & restore tools Introduction to user account with access rights.
Digital Forensics Dr. Bhavani Thuraisingham The University of Texas at Dallas Network Forensics - III November 3, 2008.
Forensics Jeff Wang Code Mentor: John Zhu (IT Support)
Footprinting and Scanning
Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA Search.
COMPUTER SYSTEM TOOLS. SCANDISK MICROSOFT UTILITY PURCHASED FROM NORTON, WHICH IS NOW SYMANTEC; INCLUDED WITH MS-DOS 6.2 AND ON AS WELL AS ALL VERSIONS.
Chapter 5 Initial Development of Leads Spring Incident Response & Computer Forensics.
Candidates should be able to:  describe the purpose and use of common utility programs for:  computer security (antivirus, spyware protection and firewalls)
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
Mastering Windows Network Forensics and Investigation Chapter 6: Live Analysis Techniques.
Chapter 11 Analysis Methodology Spring Incident Response & Computer Forensics.
Troubleshooting Windows Vista Lesson 11. Skills Matrix Technology SkillObjective DomainObjective # Troubleshooting Installation and Startup Issues Troubleshoot.
By Jason Swoyer.  Computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage mediums.  Computer.
UTSA IS 6353 Security Incident Response
Footprinting and Scanning
Backdoor Attacks.
Footprinting and Scanning
Mumtaz Ali Rajput +92 – INFORMATION SECURITY – WEEK 5 Mumtaz Ali Rajput +92 – 301-
Starting the computer. Every day we are using an operating system and most specifically a Windows operating system but most of us are not aware of the.
Playing in the Devil's Playground
COEN 252 Computer Forensics
Security.
BACHELOR’S THESIS DEFENSE
Presentation transcript:

COEN 250 Computer Forensics Windows Life Analysis

Extracting Evidence from a Life System Degrees of Volatility of Data. Gathering more volatile data versus Safer forensics procedures.

Extracting Evidence from a Life System Life Examination is done: To quickly access the situation Confirmation of incident. To retrieve volatile data Such as network connections, running processes, etc.

Extracting Evidence from a Life System Initial response must not destroy potential evidence. Use only trusted tools on a response toolkit. Document results. Notebook  Hard Drive of target system  Removable media connected to target drive Other system using netcat or cryptcat

Extracting Evidence from a Life System Plan investigation. Evidence gathering differs according to incidence: Unacceptable web-surfing. Intellectual property rights theft. Compromised system.

Extracting Evidence from a Life System Response Toolkit Collection of Trusted Tools. Stored on removable media. Floppies (write-protected) CD Thumbdrive (write-protected)

Response Toolkit Determine the tools needed. Create Toolkit. Check dependencies on DLL and other files. Include those in toolkit. Include file authentication tool such as MD5.

Response Toolkit: cmd.exe Built-in command prompt.

Response Toolkit netstat Enumerates all listening ports and all connections to those ports. Suspicious connection? (No, windows messenger.)

Response Toolkit rasusers Which users have remote access privileges on the target system.

Response Toolkit Fport Finds open TCP/IP and UDP ports and maps them to the owning application

Response Toolkit: pslist

Resource Tools ListDLLs

Resource Toolkit: nbtstat

Resource Toolkit: arp

Resource Toolkit: kill Get it from the Windows NT Resource Kit. Terminates processes via process number.

Recourse Toolkit: md5sum Creates MD5 hashes for a file.

Resource Toolkit: PsLogList Dumps the event log list.

Resource Toolkit: PsInfo Local System built.

Remote Toolkit: PsFile

Remote Toolkit: PsLoggedOn

Resource Toolkit: PsService

Resource Toolkit: regdump

Preparing the Toolkit Label the toolkit. Check for dependencies with Filemon. Lots of dependencies => lots of MAC changes. Create an MD5 of the toolkit. Write protect any floppies.

Storing Obtained Data Save data on the hard drive of target.  (Modifies System.) Record data by hand.  Save data on removable media. Includes USB storage. Save data on a remote system with netcat or cryptcat.

Storing Obtained Data with netcat Quick on, quick off target system. Allows offline review. Establish a netcat listener on the forensic workstation. Redirect into a file. Establish a netcat funneler on the target system to the forensic workstation. Cryptcat does the same, but protects against sniffing.

Obtaining Volatile Data Store at least System date and time. List of current users. List of current processes. List of currently open sockets. Applications listed on open socket. List of systems with current or recent connections to the system.

Obtaining Volatile Data: Procedure Execute a trusted cmd.exe Record system time and date. Determine who is logged on. Record file MAC. Determine open ports. List all apps associated with open ports.

Obtaining Volatile Data: Procedure List all running processes. List current and recent connections. Record the system time and date. Document the commands used during initial response.

Recording System Time

Determining Logons

Determining File MAC

Determining Open Ports

Listing Applications with Open Ports

Listing all running processes

List current connections

Documenting history

Scripting the response

Examples Use Fport to look at open ports. Use a list of ports to find suspicious ports, i.e. those used by known Trojans, sniffers or spyware.

Examples If at your home system, fport shows a suspicious port use and netstat shows a current connection to this port, then kill the process.

Examples Knowing what processes are running does not do you any good. You need to know what they are doing. At least, know the typical processes.

Examples Access the registry with RegDump Then study it with regedit on the forensic system.

Examples Assume generic monitoring of systems. Look for Unusual resource utilization or process behavior. Missing processes. Added processes. Processes with unusual user identification.

Examples The windows task manager can be very helpful.

Examples: Detecting and Deleting Trojans Use port scanning tools, either on host machine or remote machine. Fport (Windows) Superscan (Windows) Nmap netstat (for open connections)

Examples: Detecting and Deleting Trojans Identify the Trojan on the disk. Find out how it is being initiated and prevent the process. Reboot the machine and delete the Trojan.

Example Run superscan on local host to check for open ports. What is happening at port 5000?

Example Port 5000?

Example Run fport. Connected to process 1260.

Example Use pllist to find out what this is. Connected to a process called svchost.

Example Do an internet search on svchost. Process checks the service portion of the registry to start services that need to run. Use Tasklist /SVC in a command prompt

Example

Nothing serious here. At least not on the surface.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.