Presentation is loading. Please wait.

Presentation is loading. Please wait.

COEN 250 Computer Forensics Windows Life Analysis.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "COEN 250 Computer Forensics Windows Life Analysis."— Presentation transcript:

1 COEN 250 Computer Forensics Windows Life Analysis

2 Extracting Evidence from a Life System Degrees of Volatility of Data. Gathering more volatile data versus Safer forensics procedures.

3 Extracting Evidence from a Life System Life Examination is done: To quickly access the situation Confirmation of incident. To retrieve volatile data Such as network connections, running processes, etc.

4 Extracting Evidence from a Life System Initial response must not destroy potential evidence. Use only trusted tools on a response toolkit. Document results. Notebook  Hard Drive of target system  Removable media connected to target drive Other system using netcat or cryptcat

5 Extracting Evidence from a Life System Plan investigation. Evidence gathering differs according to incidence: Unacceptable web-surfing. Intellectual property rights theft. Compromised system.

6 Extracting Evidence from a Life System Response Toolkit Collection of Trusted Tools. Stored on removable media. Floppies (write-protected) CD Thumbdrive (write-protected)

7 Response Toolkit Determine the tools needed. Create Toolkit. Check dependencies on DLL and other files. Include those in toolkit. Include a file authentication tool such as MD5.

8 Target Volatile Information Volatile Information generally consists of: System time Logged on users Process information Network connections Network status Clipboard contents Command history Service / driver information

9 Tools A collection of free tools

10 Response Toolkit: cmd.exe Built-in command prompt should be included in the toolkit.

11 Response Toolkit Tool Collection System & Time Logged on Users Process Information Network and Port Information

12 Response Toolkit: Time and date Built-in: date /t time /t Systeminfo.exe gives uptime with a lot of other details. Perl: print localtime(time) “\n”;

13 Response Toolkit Logged on / remotely logged on users: PsLoggedOn (see below) Netusers from Somarsoft Net session (native to windows) rasusers (see below)

14 Response Toolkit rasusers Which users have remote access privileges on the target system.

15 Response Toolkit PsLoggedOn

16 Response Toolkit Process Information

17 Response Toolkit Pulist (from resource kit) PsList

18 Response Toolkit ListDLL

19 Response Toolkit Handle gives all handles

20 Response Toolkit Tlist is part of the Microsoft debugging tools.

21 Response Toolkit Cmdline from Diamond CS displays all processes with their arguments.

22 Response Toolkit PmDump dumps memory of a process.

23 Response Toolkit dd for windows dumps the contents of main memory into a file.

24 Response Toolkit Clipboard contents can be dumped with a small perl script: use Win32::Clipboard; print Win32::Clipboard->Get(), "\n";

25 Response Toolkit Doskey /history

26 Response Toolkit SC.exe communicates with the NT Service Controller

27 Response Toolkit Windows has “protected storage”. Used to store authentication data, … Use PStoreView to access it.

28 Response Toolkit PsService views services:

29 Response Toolkit PsInfo contains interesting system data including the uptime

30 Resource Toolkit: kill Get it from the Windows NT Resource Kit. Terminates processes via process number.

31 Response Toolkit Network and Port Information

32 Response Toolkit netstat Enumerates all listening ports and all connections to those ports.

33 Response Toolkit Fport Finds open TCP/IP and UDP ports and maps them to the owning application

34 Response Toolkit ipconfig

35 Response Toolkit Promiscdetect Figures out whether network card is in promiscuous mode.

36 Resource Toolkit: nbtstat

37 Response Toolkit psfile

38 Response Toolkit openports

39 Resource Toolkit: arp

40 Recourse Toolkit: md5sum Creates MD5 hashes for a file.

41 Resource Toolkit: PsLogList Dumps the event log list.

42 Resource Toolkit: PsInfo Local System built.

43 Remote Toolkit: PsFile

44 Resource Toolkit: PsService

45 Resource Toolkit Analyzing files String.exe Bintext.exe Dependency Walker File Date Time Extractor for Windows Word …

46 Resource Toolkit: regdump

47 Accessing Important Files Files such as logs contain valuable data. Before accessing a file, safeguard the MAC times: Use Perl’s stat function Use the dir command three times: C:\dir /tw c:\windows\system32\svchost.exe C:\dir /ta c:\windows\system32\svchost.exe C:\dir /tc c:\windows\system32\svchost.exe In NTFS, preserve owner and permissions of file with various tools.

48 Accessing Important Files Recycle Bin Exists in the root of each drive as a hidden directory To see contents: Go to the root of the drive Type dir /ah and go to the recycler directory

49 Accessing Important Files Recycle Bin

50 Accessing Important Files Recycle Bin The directories listed are the SIDs of the local users on the system. There is a hidden file called INFO2 that contains data about the move of files into the recycle bin. Rifiuti (Foundstone) will parse the file.

51 Preparing the Toolkit

52 Label the toolkit. Check for dependencies with Filemon or ListDLL. Lots of dependencies  lots of MAC changes. Lots of dependencies  easy to run into a trojaned utility Create an MD5 of the toolkit. Write protect any floppies.

53 Using the Toolkit

54 Storing Obtained Data Save data on the hard drive of target.  (Modifies System.) Record data by hand.  Save data on removable media. Includes USB storage. Save data on a remote system with netcat or cryptcat.

55 Storing Obtained Data with netcat Quick on, quick off target system. Allows offline review. Establish a netcat listener on the forensic workstation. Redirect into a file. Establish a netcat funneler on the target system to the forensic workstation. Cryptcat does the same, but protects against sniffing.

56 Obtaining Volatile Data Store at least System date and time. List of current users. List of current processes. List of currently open sockets. Applications listed on open socket. List of systems with current or recent connections to the system.

57 Obtaining Volatile Data: Procedure Execute a trusted cmd.exe Record system time and date. Determine who is logged on. Record file MAC. Determine open ports. List all apps associated with open ports.

58 Obtaining Volatile Data: Procedure List all running processes. List current and recent connections. Record the system time and date. Document the commands used during initial response.

59 Recording System Time

60 Determining Logons

61 Cmdline from DiamondCS

62 Determining File MAC

63 Determining Open Ports

64 Listing Applications with Open Ports

65 Listing all running processes

66 List current connections

67

68 Documenting history

69 Scripting the response

70

71 Examples Use Fport to look at open ports. Use a list of ports to find suspicious ports, i.e. those used by known Trojans, sniffers or spyware. www.doshelp.com/trojanports.htm

72 Examples If at your home system, fport shows a suspicious port use and netstat shows a current connection to this port, then kill the process.

73 Examples Knowing what processes are running does not do you any good. You need to know what they are doing. At least, know the typical processes.

74 Examples Access the registry with RegDump Then study it with regedit on the forensic system.

75 Examples Assume generic monitoring of systems. Look for Unusual resource utilization or process behavior. Missing processes. Added processes. Processes with unusual user identification.

76 Examples The windows task manager can be very helpful.

77 Examples: Detecting and Deleting Trojans Use port scanning tools, either on host machine or remote machine. Fport (Windows) Superscan (Windows) Nmap netstat (for open connections)

78 Examples: Detecting and Deleting Trojans Identify the Trojan on the disk. Find out how it is being initiated and prevent the process. Reboot the machine and delete the Trojan.

79 Example Run superscan on local host to check for open ports. What is happening at port 5000?

80 Example Port 5000?

81 Example Run fport. Connected to process 1260.

82 Example Use pllist to find out what this is. Connected to a process called svchost.

83 Example Do an internet search on svchost. Process checks the service portion of the registry to start services that need to run. Use Tasklist /SVC in a command prompt

84 Example

85 Nothing serious here. At least not on the surface.

Download ppt "COEN 250 Computer Forensics Windows Life Analysis."

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
COEN 250 Computer Forensics Unix System Life Response.

COEN 250 Computer Forensics Unix System Life Response.
®® Microsoft Windows 7 for Power Users Tutorial 6 Optimizing Your Hard Disk.

®® Microsoft Windows 7 for Power Users Tutorial 6 Optimizing Your Hard Disk.
Backing Up Your Computer Hard Drive Lou Koch June 27, 2006.

Backing Up Your Computer Hard Drive Lou Koch June 27, 2006.
Cosc 4765 Windows Forensics Techniques. A case study First this lecture should not be confused with Computer Forensics for criminal prosecution. –That.

Cosc 4765 Windows Forensics Techniques. A case study First this lecture should not be confused with Computer Forensics for criminal prosecution. –That.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Section 3.2: Operating Systems Security

Section 3.2: Operating Systems Security
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
Forensic Analysis Torres, Ricardo. It’s A Matter Of Time Security is a deterrence not a guarantee. “Computer forensics defined: Preservation, identification,

Forensic Analysis Torres, Ricardo. It’s A Matter Of Time Security is a deterrence not a guarantee. “Computer forensics defined: Preservation, identification,
Windows Forensics 10 Apr 2007 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator.

Windows Forensics 10 Apr 2007 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator.
Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.

Information Networking Security and Assurance Lab National Chung Cheng University F.I.R.E. Forensics & Incident Response Environment.
Jai, 2004 Incident Response & Computer Forensics Chapter 5 Live Data Collection from Windows System Information Networking Security and Assurance Lab National.

Jai, 2004 Incident Response & Computer Forensics Chapter 5 Live Data Collection from Windows System Information Networking Security and Assurance Lab National.
The sequence of folders to a file or folder is called a(n) ________.

The sequence of folders to a file or folder is called a(n) ________.
MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 14 Server and Network Monitoring.

MCITP Guide to Microsoft Windows Server 2008 Server Administration (Exam #70-646) Chapter 14 Server and Network Monitoring.
Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Windows System.

Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Windows System.
Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.

Hands-On Microsoft Windows Server 2003 Administration Chapter 6 Managing Printers, Publishing, Auditing, and Desk Resources.
Whodunit? Beginning the cyber investigation. Addresses MAC address Network card (NIC interface card) Identifies a physical device.. The card!!! This is.

Whodunit? Beginning the cyber investigation. Addresses MAC address Network card (NIC interface card) Identifies a physical device.. The card!!! This is.
2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.

2004, Jei F.I.R.E. Forensics & Incident Response Environment Information Networking Security and Assurance Lab National Chung Cheng University.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Chapter 14: Computer and Network Forensics

Chapter 14: Computer and Network Forensics

Similar presentations

Ads by Google