Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Windows System.

Similar presentations


Presentation on theme: "Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Windows System."— Presentation transcript:

1 Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Windows System

2 Information Networking Security and Assurance Lab National Chung Cheng University 2 Outline Preface Creating a Response Toolkit Storing Information Obtained during the Initial Response Obtaining Volatile Data Performing an In-Depth Live Response

3 Information Networking Security and Assurance Lab National Chung Cheng University 3 Outline Preface Creating a Response Toolkit Storing Information Obtained during the Initial Response Obtaining Volatile Data Performing an In-Depth Live Response

4 Information Networking Security and Assurance Lab National Chung Cheng University 4 Preface The goal of an initial response:  Confirm there is an incident  Retrieve the system’s volatile data OS:  Windows NT/2000/XP

5 Information Networking Security and Assurance Lab National Chung Cheng University 5 Outline Preface Creating a Response Toolkit Storing Information Obtained during the Initial Response Obtaining Volatile Data Performing an In-Depth Live Response

6 Information Networking Security and Assurance Lab National Chung Cheng University 6 What is important Don’t affecting any potential evidence  Prepare a complete response toolkit A live investigation is not the time to create or test your toolkit for the first time!!!

7 Information Networking Security and Assurance Lab National Chung Cheng University 7 The Utility (I) NameDescriptionSource cmd.exeThe command prompt for Windows NT/2000/XPBuilt in PsLoggedOnA utility that shows all users connected locally and remotelywww.foundstone.com rasusersShow which users have remote-access privilege on the target system NT Resource Kit (NTRK) netstatEnumerate all listening ports and all current connections to those ports Built in FportEnumerate all processes that opened any TCP/IP ports on a windows NT/2000/XP www.foundstone.com PslistEnumerate all running processes on the target systemwww.foundstone.com ListDLLsList all running processes (command-line argument, DLLs)www.foundstone.com nbtstatList the recent NetBIOS connections for approximately the last 10 mins Built in arpShow the MAC addresses of the systems that the target system has been communicating Built in killTerminate a processNTRK

8 Information Networking Security and Assurance Lab National Chung Cheng University 8 The Utility (II) NameDescriptionSource md5sumCreate MD5 hashes for a given filewww.cygwin.com rmtshareDsiplay the shares accessible on a remote machine NTRK netcatCreate a communication channel between two different systems www.atstake.com/research/tools/network _utilities cryptcatCreate an encrypted channel of communicationhttp://Sourceforge.net/projects/cryptcat PsLogListDump the contents of the event logswww.foundstone.com ipconfigDisplay interface configuration informationBuilt in PsInfoCollect information about the local system builtwww.foundstone.com PsFileShow files that are opened remotelywww.foundstone.com PsServiceShow information about current processes and threads www.foundstone.com auditpolDisplay the current security audit settingsNTRK doskeyDisplay the command history for an open cmd.exe shell Built in

9 Information Networking Security and Assurance Lab National Chung Cheng University 9 Preparing the Toolkit Label the response toolkit media  Case number  Time and date  Name of the investigator who created the response media  Name of the investigator using the response media

10 Information Networking Security and Assurance Lab National Chung Cheng University 10 Preparing the toolkit Check for dependencies with Filemon  Determine which DLLs and files your response tools depend on Create a checksum for the response toolkit  md5sum Write-protect any toolkit floppies

11 Information Networking Security and Assurance Lab National Chung Cheng University 11

12 Information Networking Security and Assurance Lab National Chung Cheng University 12 Outline Preface Creating a Response Toolkit Storing Information Obtained during the Initial Response Obtaining Volatile Data Performing an In-Depth Live Response

13 Information Networking Security and Assurance Lab National Chung Cheng University 13 Prelim “live”: power on Four options when retrieving information from a live system  The hard drive of the target system  In a notebook  Response floppy disk or other removable media  Remote forensic system using netcat or cryptcat

14 Information Networking Security and Assurance Lab National Chung Cheng University 14 Transferring Data with netcat Two advantage  Get on and off the target system quickly  Perform an offline review

15 Information Networking Security and Assurance Lab National Chung Cheng University 15 Transferring Data with netcat NT System Forensic System Time date loggedon fport pslist nbtstat -c 1 2 3 1: Run trusted commands on NT Server 2: Send output to forensics box via netcat 3: Perform off-line review md5sum output files

16 Information Networking Security and Assurance Lab National Chung Cheng University 16 Transferring Data with netcat Forensic workstation Target system

17 Information Networking Security and Assurance Lab National Chung Cheng University 17 Encrypting Data with cryptcat Has the same syntax and functions as the netcat command  Sniffer cannot compromise the information you obtain  Eliminates the risk of contamination or injection of data Two-man integrity rule

18 Information Networking Security and Assurance Lab National Chung Cheng University 18 Outline Preface Creating a Response Toolkit Storing Information Obtained during the Initial Response Obtaining Volatile Data Performing an In-Depth Live Response

19 Information Networking Security and Assurance Lab National Chung Cheng University 19 Collect the important information At minimum, volatile data prior to forensic duplication  System date and time  A list of the users who are currently logged on  Time/date stamps for the entire file system  A list of the currently running processes  A list of the currently open sockets  The applications listening on open sockets  A list of the systems that have current or had recent connections to the system

20 Information Networking Security and Assurance Lab National Chung Cheng University 20 Organizing and Documenting Your Investigation Start TimeCommand LineTrustedUntrustedMD5 Sum of Output Comment s 12:15:22type lmhosts | nc 192.168.0.1 2222 X3d2e531d.6553 ee93e0890091. 3857eef3 12:15:27pslist | nc 192.168.0.1 2222 X1ded672ba8b2e bf5beef672201 003fe8 12:15:32netstat –an | nc 192.168.0.1 2222 X52285a2311133 2453efe292343 857eef3

21 Information Networking Security and Assurance Lab National Chung Cheng University 21 Collecting Volatile Data Top-ten list of the steps to use for data collection  Execute a trusted cmd.exe  Record the system time and date  Determine who is logged in to the system (and remote-access users, if applicable) PsLoggedOn rasusers  Record modification, creation, and access times of all files dir /?

22 Information Networking Security and Assurance Lab National Chung Cheng University 22 Collecting Volatile Data  Determine open ports netstat  List applications associated with open ports Fport winpop.exe  Netbus trojan windll.exe  GirlFriend trojan  List all running processes Pslist  List current and recent connections netstat arp nbtstat

23 Information Networking Security and Assurance Lab National Chung Cheng University 23 Collecting Volatile Data  Record the system time and date Sandwich your data-retrieval commands between time and date commands  Document the commands used during initial response doskey /history Scripting your initial response

24 Information Networking Security and Assurance Lab National Chung Cheng University 24 Outline Preface Creating a Response Toolkit Storing Information Obtained during the Initial Response Obtaining Volatile Data Performing an In-Depth Live Response

25 Information Networking Security and Assurance Lab National Chung Cheng University 25 Don’t affect your system Find evidence and properly remove rogue programs without disrupting any services

26 Information Networking Security and Assurance Lab National Chung Cheng University 26 Creating an In-Depth Response Toolkit auditpolDetermin the audit policy on a system NTRK regDump specific information (keys) within the NT/2000 Registry NTRK regdumpDump the Registry as a text fileNTRK pwdump3eDump the SAM database so that the passwords can be cracked www.polivec.com/pwdump3.html NTLastMonitor successful and failed logons to a system www.foundstone.com SfindDetect files hidden within NTFS file streams www.foundstone.com AfindSearch a file system to determine files accessed during specific timeframes www.foundstone.com dumpelDump the NT/2000 event logsNTRK

27 Information Networking Security and Assurance Lab National Chung Cheng University 27 Collecting Live Response Data Two key sources of evidence on Windows NT/2000  The event logs  The Registry Four approach to obtain quite a bit of information  Review the event logs  Review the Registry  Obtain system passwords  Dump system RAM

28 Information Networking Security and Assurance Lab National Chung Cheng University 28 Review the event logs auditpol NTLast dumpel

29 Information Networking Security and Assurance Lab National Chung Cheng University 29 Successful logons

30 Information Networking Security and Assurance Lab National Chung Cheng University 30 Enumerate failed console logons

31 Information Networking Security and Assurance Lab National Chung Cheng University 31 List all successful logons from remote systems

32 Information Networking Security and Assurance Lab National Chung Cheng University 32 Review the Registry regdump  Create an enormous text file of the Registry reg query  Extract just the Registry key values of interest

33 Information Networking Security and Assurance Lab National Chung Cheng University 33 Obtaining System Passwords pwdump3e  Dump the passwords from the Security Accounts Manager (SAM) database

34 Information Networking Security and Assurance Lab National Chung Cheng University 34 Dumping System RAM userdump.exe (MS OEM Support Tools) Two types of memory  User mode (application) memory  Full-system memory


Download ppt "Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Windows System."

Similar presentations


Ads by Google