Mastering Windows Network Forensics and Investigation Chapter 10: Tool Analysis
December 1, 2015 © Wiley Inc All Rights Reserved 2 Chapter Topics: Purpose of tool analysis Tools & Techniques
Purpose of Tool Analysis Understand the tool used by attacker - what it is doing and how it works Understand impact or damage done to target system Be able to demonstrate later in court how intrusion occurred Enables detailing of damage done to system & connected systems
Tools & Techniques Use various antivirus / spyware detection tools first Strings –Enables extraction & viewing of plain-text strings from within executables, DLL’s, etc Dependency Walker –Shows on which modules the attacker’s code depends –Assists with understanding what the code is doing
Tools & Techniques Monitoring the code when it runs –Create clone system (VMWare, Shadow Drive, restored copy) –Keep in sandbox – isolate on network –Setup monitoring tools Regmon Filemon InCtrl5
Tools & Techniques Install live analysis tools –PsList –Netstat –Tasklist (tlist) –Fport –Whoami Setup network traffic monitoring tool (Wireshark) –Use whatever tools you would use for a live response to analyze the impact & function of the bad code
InCtrl5 Results
FileMon Results
RegMon Results
Forensic Exam of “Compromised Clone” After you’ve run the bad code on test machine, forensically examine it If cloned, examine clone device If VMWare, create full clone of comprised VMWare image Examine the compromised full clone image with forensic tool such as EnCase
EnCase View of VMWare Image
Examine Results of Network Traffic When test host compromised, what network traffic resulted from bad code during and after installation? Wireshark (formerly Ethereal) network monitoring tool
Ethereal View of Bad Code Attempting to Contact an FTP Server
Do External Port Scan & Compare to Netstat Results Root kit can hide open ports and processes from user By comparing netstat results with those on external port scan, you can often detect presence of root kit
Results of “netstat –an”
Results? Netstat showed 9 open TCP ports? SuperScan showed 10 open TCP ports? Why? Root kit is hiding one of the TCP ports and netstat can’t be relied upon to be accurate!
Results of SuperScan