Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cosc 4765 Windows Forensics Techniques. A case study First this lecture should not be confused with Computer Forensics for criminal prosecution. –That.

Published byCody Anthony Modified over 9 years ago

Similar presentations

Presentation on theme: "Cosc 4765 Windows Forensics Techniques. A case study First this lecture should not be confused with Computer Forensics for criminal prosecution. –That."— Presentation transcript:

1 Cosc 4765 Windows Forensics Techniques

2 A case study First this lecture should not be confused with Computer Forensics for criminal prosecution. –That involves chain of custody and that the system has “unchanged” data for evidence in a trial. We’ll look identifying and detection techniques and tools –using a windows environment for a fake company.

3 Fake company We’ll use a web hosting company as a bases for the study. –It has a large number of Windows servers –Each has 2 NICs 1 has an inside private ip 10.10.X.X 1 has an outside public ip –All inside traffic is via ssh, while outside traffic is via http (and https), using apache (not IIS). –And there is a firewall preventing outside to inside access. boxes can only be accessed from the internet via the outside ip address.

4 Our Network Toolbox For networking tools to detect potential incidents –WireShark, Windump (tcpdump for windows)‏ We can capture and graphically inspect network traffic –EtherApe It builds a “talkers map” for a network segment Allows to characterize normal traffic –tcpreplay We can replay captured traffic and control the speed. –Snort Free IDS, using a gui frontend like base for easy to viewing the traffic. –MRTG Or something like it, can show you a traffic graph of your network –Fscan, nmapwin (nmap for windows)‏ port scanners to determine open ports.

5 Potential incidents First, there is a general assumption –YOU ALREADY KNOW WHAT NORMAL TRAFFIC IS FOR “FAKE COMPANY”. –Why is this important? –What would we expect to be normal traffic for this company?

6 Potential incidents (2)‏ So first we think there is “Abnormal traffic” on the network. –maybe from Snort or other network monitoring software. Could just be “gee, the response time is slow today”. –We run wireshark and get the following Traffic from an outside ip to an inside ip –That’s a problem! –Time to check that computer.

7 Our Windows ToolBox A cdrom containing copies of programs we are using. –A cdrom is best, since it can not be compromised by an infected system. –From a windows system: at.exe, cmd.exe, dir.exe, ifconfig.exe, nbstat.exe net.exe, nestate.exe, nslookup.exe, route.exe, tracert.exe, hostname.exe

8 Our Windows ToolBox (2)‏ From Foundstone.com and other places –fport.exe Reports all open TCP/IP and UDP ports and maps them to the owning application. –Could use netstat –an, but fport maps to the owning application, so it’s better. –pslist.exe list process on the cmd line –psservices.exe associates services with process ids –psfile.exe similar to lsof, list open files by applications –psloggedon.exe associates users with running processes –listdlls.exe lists which DLL file are being used by running processes.

9 What to look for? unusual processes –pslist, psinfo, psfile unusual listening ports –netstat, fport, psservice unusual open files –psfile, listdlls, fport logged in users –psloggedon, nbstat process owners –psloggedon examine route tables –netstat, route temp files, suspicious folders –dir, type, explorer

10 Using the tools e:\hostname (assume e: is the cdrom)‏ –winbox.private.com e:\net session –Computer User name Client Type Opens Idle time –---------------------------------------------------------------- –\\TGT1 ADMINISTRATOR 0 00:00:27 –\\TGT2 ADMINISTRATOR 0 00:00:15 –\\TGT3 ADMINISTRATOR 0 00:00:23 –\\TGT4 ADMINISTRATOR 0 00:00:05 This is very bad! The are 4 file shares connected to this machine

11 Using the tools (2)‏ E:\Fport.exe Fport v2.0 - TCP/IP Process to Port Mapper Copyright 200 by Foundstone, Inc http://www.foundstone.com Pid Process Port Proto Path 420 svchost -> 135 TCP C:\WINNT\system32\svchost.exe 8 System -> 445 TCP 888 MSTask -> 1025 TCP C:\WINNT\system32\MSTask.exe 8 System -> 1027 TCP 8 System -> 445 UDP 430 svchost -> 80 TCP C:\Program Files\Apache\httpd.exe 1625 servu -> 3215 TCP C:\Client_Data\Inetpub\_vti-bin\ \servu.exe We running apache web servers, but there is something running out of what looks like a IIS directory! Hidden Directory

12 Using the tools (3)‏ e:\dir /s /a c:\Client_Data\Inetpub\_vti-bin\” “\ /p –recursively listing the hidden directory net use F \\tgt1\c$\WINNT\system32\ \_vti-bin\ /user:Administrator AdminPass net use G \\tgt2\c$\WINNT\system32\ \_vti-bin\ /user:Administrator AdminPass net use H \\tgt3\c$\WINNT\system32\ \_vti-bin\ /user:Administrator AdminPass net use I \\tgt4\c$\WINNT\system32\ \_vti-bin\ /user:Administrator AdminPass So now there are at least 4 more system involved with administrator privileges Looking at those, we find the it’s an ftp server, with config’s and a batch file to launch the server.

13 A note This hasn’t identified the entry point We don’t know how they broke in –could be bad administrator passwords –could an unpatched windows system –virus/worm –or simply a targeted attacked against fake company that succeeded.

14 Clean Up That’s the hard part –If we decide not to reinstall the machine –Must check the registry, new local accounts, services such as, how does the system mount those directories? –We’ll need to stop that! –Scan and remove any viruses/worms/trojan horses/back doors. Once an attacker gets in, they will work very hard to stay there.

15 Clean Up (2)‏ Besides cleaning up the systems Fix the firewall –If we are allowing clients to connect to specific ports, then should enforce that on the firewall –Open internet ports 80 (http), 443 (https), Maybe port 25 for e-mail –Close output ports as well. harder: because of browsing, patch management, and an other issues, but it can be done normally by trial and error. –Add Vlan if possible to block more traffic

16 Clean Up (3) add an IDS system –make sure it has rules that “enforce” policies –It will then tell us when traffic is going to the wrong ports. –outside to inside ip connections Attackers may still succeed, but we will know about it quicker.

17 Lastly The idea here to quickly find and repair the problem. –Have you toolbox ready, KNOW how to use the programs, And always know what “normal” is. We can never be 100% secure and it’s not if we get hacked, it's WHEN we get hacked.

18 Q A &

19 References http://www.securityfocus.com/infocus/1653 /http://www.securityfocus.com/infocus/1653 / http://www.securityfocus.com/infocus/1672 /http://www.securityfocus.com/infocus/1672 / http://www.foundstone.com/

Download ppt "Cosc 4765 Windows Forensics Techniques. A case study First this lecture should not be confused with Computer Forensics for criminal prosecution. –That."

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Investigating Malicious Software Steve Romig The Ohio State University April 2002.

Investigating Malicious Software Steve Romig The Ohio State University April 2002.
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Microsoft Security Resources. URL’s for this talk All URL’s mentioned in this talk can be found here: All URL’s mentioned in this talk can be found here:

Microsoft Security Resources. URL’s for this talk All URL’s mentioned in this talk can be found here: All URL’s mentioned in this talk can be found here:
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Hands-on Networking Fundamentals

Hands-on Networking Fundamentals
FIREWALL Mạng máy tính nâng cao-V1.

FIREWALL Mạng máy tính nâng cao-V1.
COEN 252 Computer Forensics

COEN 252 Computer Forensics

Similar presentations

Ads by Google