Presentation is loading. Please wait.

Presentation is loading. Please wait.

Live Forensics Investigations Computer Forensics 2013.

Published byDwight Ryan Modified over 9 years ago

Similar presentations

Presentation on theme: "Live Forensics Investigations Computer Forensics 2013."— Presentation transcript:

1 Live Forensics Investigations Computer Forensics 2013

2 Live Investigations  Necessary because  computer cannot be shut down  E.g.: important server  nature of evidence is too volatile  E.g.: Malware investigations  cost consideration  remote forensics

3 Live Investigations  Special challenges:  Interaction with life system changes the status of the life system  Consequence:  Need to document carefully what is being done  Use scripts  Use automated gathering tools  System can be root-kitted  Interaction with system is not usually at the lowest level possible

4 Live Investigations  Became normal only recently  Always seemed better to work directly with hard drive  If necessary construct a clone of the life system  Tools for capturing volatile evidence have increases

5 Live Investigation  Need to be preplanned  Bring all the tools, do not interrupt evidence gathering, document every step

6 Remote gathering of data  Possible to install forensics module  Allows routine investigations via network connection  Installs a trusted agent on each potential target machine  Agent communicates via a secure connection  Once triggered, agent collects data and sends them through a one- way connection to a collector

7 Remote gathering of data  Forensics Agent  Forensically sound data collection  Fully configurable  Best practice  Cross-platform  Can be used stand-alone or remotely

8 Remote gathering of data TestWindowsLinux Users logged onpsloggedon.exew System uptimepsinfo.exeuptime File timestampsdir, attribls Network connectionsnetstat, fport.exenetstat Running processespslists.exeps Loaded DLLslistdlls.exe- Network configurationnetstat.exe, arp.exe, ipconfig.exenetstat, ifconfig Installed servicespsservice.exe- Log dataauditpol.exe, ntlast.exe, psloglist.exelast Kernel modules-lsmod Mounted filesystems-df Registryregdmp.exe- Password hashespwdump3.execat Open fileshandle.exelsof

9 Remote gathering of data  Application specific data  Browser history, skype chat logs,...  Memory capture

10 Remote gathering of data  Various providers  Encase, Access data, F-response,...

11 Live Forensics  Usually use a toolkit  User-level rootkits  No influence since you are using your own tools  System-level rootkits  Norm among rootkits  Do usually not lie consistently:  Use several ways / tools to ask the same question  Automatically look for inconsistencies  Anti-rootkit-defense  Run various antivirus tools

12 Preparing the Toolkit

13  Label the toolkit.  Check for dependencies with Filemon or ListDLL.  Lots of dependencies  lots of MAC changes.  Lots of dependencies  easy to run into a trojaned utility  Create an MD5 of the toolkit.  Write protect any floppies.

14 Using the Toolkit

15 Storing Obtained Data  Save data on the hard drive of target.  (Modifies System.)  Record data by hand.   Save data on removable media.  Includes USB storage.  Save data on a remote system with netcat or cryptcat.

16 Storing Obtained Data with netcat  Quick on, quick off target system.  Allows offline review.  Establish a netcat listener on the forensic workstation. Redirect into a file.  Establish a netcat funneler on the target system to the forensic workstation.  Cryptcat does the same, but protects against sniffing.

17 Obtaining Volatile Data Store at least  System date and time.  List of current users.  List of current processes.  List of currently open sockets.  Applications listed on open socket.  List of systems with current or recent connections to the system.

18 Obtaining Volatile Data: Procedure  Execute a trusted cmd.exe  Record system time and date.  Determine who is logged on.  Record file MAC.  Determine open ports.  List all apps associated with open ports.

19 Obtaining Volatile Data: Procedure  List all running processes.  List current and recent connections.  Record the system time and date.  Document the commands used during initial response.

20 Recording System Time

21 Determining Logons

22 Cmdline from DiamondCS

23 Determining File MAC

24 Determining Open Ports

25 Listing Applications with Open Ports

26 Listing all running processes

27 List current connections

28

29 Documenting history

30 Scripting the response

31

32 Examples  Use Fport to look at open ports.  Use a list of ports to find suspicious ports, i.e. those used by known Trojans, sniffers or spyware. www.doshelp.com/trojanports.htm

33 Examples  If at your home system, fport shows a suspicious port use and netstat shows a current connection to this port, then kill the process.

34 Examples  Knowing what processes are running does not do you any good.  You need to know what they are doing.  At least, know the typical processes.

35 Examples  Access the registry with RegDump  Then study it with regedit on the forensic system.

36 Examples Assume generic monitoring of systems. Look for  Unusual resource utilization or process behavior.  Missing processes.  Added processes.  Processes with unusual user identification.

37 Examples  The windows task manager can be very helpful.

38 Examples: Detecting and Deleting Trojans  Use port scanning tools, either on host machine or remote machine.  Fport (Windows)  Superscan (Windows)  Nmap  netstat (for open connections)

39 Examples: Detecting and Deleting Trojans  Identify the Trojan on the disk.  Find out how it is being initiated and prevent the process.  Reboot the machine and delete the Trojan.

40 Example  Run superscan on local host to check for open ports.  What is happening at port 5000?

41 Example Port 5000?

42 Example  Run fport.  Connected to process 1260.

43 Example  Use pllist to find out what this is.  Connected to a process called svchost.

44 Example  Do an internet search on svchost.  Process checks the service portion of the registry to start services that need to run.  Use Tasklist /SVC in a command prompt

45 Example

46  Nothing serious here.  At least not on the surface.

47 Malware investigations  Run malware in a virtual machine  Problem: Malware can detect it is running in a virtual machine  Run malware on a life system  Dangerous for the environment  Can limit network connectivity  Try to observe malware effects  Live system:  Need to run monitoring tools  E.g. regmon, filemon  Can be detected by malware  Use differential analysis  Do system analysis on images taken before and after infection

48 Malware investigations  Can simulate the internet with inetsim

49 Malware investigations  Physical targets  Malware runs in native habitat  Without hypervisors, emulators,...  Example: TRUMAN – The reusable unknown malware analysis net  Two physical computers  Windows machine for malware client  Linux machine for supervisor  Makes dd-images after executing samples,...  Simulates internet services such as SMTP, FTP, IRC  Provides  Memory analysis with volatility  Registry analysis with regdiff.pl, dumphive, RegRipper  Packer identification  Network traffic analysis  NTFS ADS streams  Hashes of system files

50 Malware investigations  Physical target  Deep Freeze:  Prevents permanent changes to computer  FOG  Cloning and imaging software

51 Malware investigations  Analysis Cycle Create Baseline Reimage target Transfer malware Preexecution Execute malware Suspend VM dump memory Postexecution Analyze hard disk

52 Malware investigations

53

54

55

56

57

58

59

60

61

62

63

64

65

Download ppt "Live Forensics Investigations Computer Forensics 2013."

Similar presentations

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.

Computer Forensic Analysis By Aaron Cheeseman Excerpt from Investigating Computer-Related Crime By Peter Stephenson (2000) CRC Press LLC - Computer Crimes.
COEN 250 Computer Forensics Unix System Life Response.

COEN 250 Computer Forensics Unix System Life Response.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.

Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.

ITP 457 Network Security Network Hacking 101. Hacking Methodology (review) 1. Gather target information 2. Identify services and ports open on the target.
Trojan Horse Program Presented by : Lori Agrawal.

Trojan Horse Program Presented by : Lori Agrawal.
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Jai, 2004 Incident Response & Computer Forensics Chapter 5 Live Data Collection from Windows System Information Networking Security and Assurance Lab National.

Jai, 2004 Incident Response & Computer Forensics Chapter 5 Live Data Collection from Windows System Information Networking Security and Assurance Lab National.
Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.

Jai, 2004 Incident Response & Computer Forensics Chapter 6 Live Data Collection from Unix Systems Information Networking Security and Assurance Lab National.
Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Windows System.

Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Windows System.
Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems.

Information Networking Security and Assurance Lab National Chung Cheng University Live Data Collection from Unix Systems.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Capturing Computer Evidence Extracting Information.

Capturing Computer Evidence Extracting Information.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.

Similar presentations

Ads by Google