Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows Forensics 10 Apr 2007 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Windows Forensics 10 Apr 2007 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator."— Presentation transcript:

1 Windows Forensics 10 Apr 2007 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator

2 Agenda Forensics Background Operating Systems Review Select Windows Features Vectors and Payloads Forensics Process Forensics Tools Demonstration

3 Forensics Background Inspection of computer system for evidence of:  crime  unauthorized use Evidence gathering/preservation techniques for admissibility in court of law Consideration of suspect's level of expertise Avoidance of data destruction or compromise

4 Operating System Review What does an OS do?

5 Operating System Review What does an OS do?  starts itself  low-level management of: interrupts, time, memory, processes, devices (storage, communication, keyboard, display, etc.)  higher-level management of: file system, users, user interface, apps  addresses issues of fairness, efficiency, data protection/access, workload balancing

6 Select Windows Features Kernel vs. User Mode Kernel features (architecture)architecture  device drivers  installable file system  object security Services

7 Computing Devices: Simplistic Computing Device  takes some input  processes it OS, services, applications  provides some output Network  connects device Data ? Computing Device input output Hub

8 Computing Devices: Reality Human K/M/touch,etc. Data Scanner/GPS Data Storage Device, PC Card, Network, Printer, Etc. In Out In/Out Human A/V

9 Computing Devices: Connections removable media  floppy,CD/DVD,flash,microdrive PC Card wired  serial/parallel,USB,Firewire,IDE,SCSI,twisted pair wireless  radio (802.11, cellular, Bluetooth)  Infrared (IR)  Ultrasound

10 Vectors and Payloads Vector: route used to gain entry to computer  via a device without human intervention  via an unsuspecting or willing person's actions Payload: what is delivered via the vector  malicious code  may be multiple payloads  spyware, rootkits, keystroke loggers, bots, illegals software, spamming, etc.

11 Forensics Process Assess  after permission is granted  determine how to approach affected system(s)  watch out for anti-forensics  how to stop computer processing? Acquire  capture volatile data  copy hard drive Analyze

12 Volatile Data All of RAM, plus paging area Logged on users Processes (regular and services) Process memory Buffers Clipboard Network Information Command history

13 Nonvolatile Data Partitions Files  hidden, streams Registry Keys Recycle Bin Scheduled Tasks User information Logs

14 What to Look For Know baseline system: what to expect of good system Malware Footprint  in logs  on file system (changed dates/sizes)  in registry  in startup areas  in service list  in network connections Abnormalcy – functionality, performance, traffic patterns Cross-check with multiple tools

15 Microsoft Tools Basic Windows Update, Malicious Software Removal, Baseline Security Analyzer, Time Service, Routing and Remote Access, Event Viewer, EventCombMT, LocalService, NetworkService, Runas, systeminfo, auditpol Network tools netstat -anob, nbtstat, ping, tracert, arp, netsh, ipconfig File dir /ah, dir /od, dir /tc, findstr, cacls Services net start/stop, sc Process: tasklist, taskkill, schtasks

16 External Tools antivirus backup www.sysinternals.com RootKitRevealer, ProcessExplorer, WinObj, Autoruns PSTools: pslist, psexec, psservice, psgetsid, etc. www.e-fense.com: Helix statically-linked tools, variety of other tools Bart’s PE

17 References Windows Forensics and Incident Recovery, Harlan Carvey, Addison-Wesley 2005 Windows Forensic Analysis DVD Toolkit, Harlan Carvey, Syngress 2007 File System Forensic Analysis,Brian Carrier, Addison-Wesley 2005 Rootkits, Greg Hoglund and James Butler, Addison-Wesley 2006

Download ppt "Windows Forensics 10 Apr 2007 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator."

Similar presentations

Introduction to Computers Lecture By K. Ezirim. What is a Computer? An electronic device –Desktops, Notebooks, Mobile Devices, Calculators etc. Require.

Introduction to Computers Lecture By K. Ezirim. What is a Computer? An electronic device –Desktops, Notebooks, Mobile Devices, Calculators etc. Require.
Objectives Overview Define an operating system

Objectives Overview Define an operating system
Support for Windows 7 Chapter 2 Securing and Troubleshooting Windows 7.

Support for Windows 7 Chapter 2 Securing and Troubleshooting Windows 7.
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
Discovering Computers Fundamentals, Third Edition CGS 1000 Introduction to Computers and Technology Fall 2006.

Discovering Computers Fundamentals, Third Edition CGS 1000 Introduction to Computers and Technology Fall 2006.
Installing Windows XP Professional Using Attended Installation Slide 1 of 35Session 9 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

Installing Windows XP Professional Using Attended Installation Slide 1 of 35Session 9 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.

Students: Jacek Czeszewski and Marcos Verdini Rosa Professor: José Manuel Magalhães Cruz.
ITE PC v4.0 Chapter 1 1 Operating Systems Computer Networks– 2.

ITE PC v4.0 Chapter 1 1 Operating Systems Computer Networks– 2.
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
Professor Michael J. Losacco CIS 1110 – Using Computers Operating Systems & Utility Programs Chapter 7.

Professor Michael J. Losacco CIS 1110 – Using Computers Operating Systems & Utility Programs Chapter 7.
UW Security Policy and Implementation 26 Apr 2010 TINFO 340: Information Assurance Stephen Rondeau Institute of Technology Labs Administrator.

UW Security Policy and Implementation 26 Apr 2010 TINFO 340: Information Assurance Stephen Rondeau Institute of Technology Labs Administrator.
UW Information Systems Security Policy Stephen Rondeau Institute of Technology Computing Labs Administrator 18 Nov 2005.

UW Information Systems Security Policy Stephen Rondeau Institute of Technology Computing Labs Administrator 18 Nov 2005.
Guide to Computer Forensics and Investigations Third Edition Chapter 11 Network Forensics.

Guide to Computer Forensics and Investigations Third Edition Chapter 11 Network Forensics.
Computer Security Fundamentals by Chuck Easttom Chapter 5 Malware.

Computer Security Fundamentals by Chuck Easttom Chapter 5 Malware.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Operating Systems.

Operating Systems.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
LECTURE 14 Operating Systems and Utility Programs

LECTURE 14 Operating Systems and Utility Programs
Chapter 8 Operating Systems and Utility Programs By: James Granahan.

Chapter 8 Operating Systems and Utility Programs By: James Granahan.

Similar presentations

Ads by Google