Presentation is loading. Please wait.

Presentation is loading. Please wait.

Windows Forensics 24 Jan 2008 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator.

Published byMoses Arnold Modified over 9 years ago

Similar presentations

Presentation on theme: "Windows Forensics 24 Jan 2008 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator."— Presentation transcript:

1 Windows Forensics 24 Jan 2008 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator

2 Agenda Forensics Background Operating Systems Review Select Windows Features Vectors and Payloads Forensics Process Forensics Tools Demonstration

3 Forensics Background Inspection of computer system for evidence of:  crime  unauthorized use Evidence gathering/preservation techniques for admissibility in court of law Consideration of suspect's level of expertise Avoidance of data destruction or compromise

4 Operating System Review What does an OS do?

5 Operating System Review What does an OS do?  starts itself  low-level management of: interrupts, time, memory, processes, devices (storage, communication, keyboard, display, etc.)‏  higher-level management of: file system, users, user interface, apps  addresses issues of fairness, efficiency, data protection/access, workload balancing

6 Select Windows Features Kernel vs. User Mode Kernel features (architecture)‏architecture  device drivers  installable file system  object security Services User accounts, passwords and privileged groups Security policies

7 Computing Devices: Simplistic Computing Device  takes some input  processes it OS, services, applications  provides some output Network  connects device Data Computing Device input output Hub

8 Computing Devices: Reality Human K/M/touch,etc. Data Scanner/GPS Data Storage Device, PC/Express Card, Network, Printer, Etc. In Out In/Out Human A/V

9 Computing Devices: Connections removable media  floppy,CD/DVD,flash,microdrive PC/Express Card wired  serial/parallel,USB,Firewire,IDE/SATA,SCSI/SAS  twisted pair wireless  radio (802.11, cellular, Bluetooth)‏  Infrared (IR)‏  Ultrasound

10 Vectors and Payloads Vector: route used to gain entry to computer  via a device without human intervention  via an unsuspecting or willing person's actions Payload: what is delivered via the vector  malicious code  may be multiple payloads  spyware, rootkits, keystroke loggers, bots, illegal software, spamming, etc.

11 Forensics Process Assess (after permission is granted)‏  determine how to approach affected system(s)‏  inspect physical environment  watch out for anti-forensics, booby-traps  consider how to stop computer processing Acquire  capture volatile data  copy hard drive Analyze

12 Volatile Data All of RAM, plus paging area Logged on users Processes (regular and services)‏ Process memory Buffers Clipboard Network Information (incoming and outgoing)‏ Command history

13 Nonvolatile Data Partitions Files  hidden, streams Registry Keys Recycle Bin Scheduled Tasks User Account and Group Information Logs

14 What to Look For Know baseline system: what to expect of good system Malware Footprint  in logs  on file system (changed dates/sizes, hidden)‏  in registry  in startup areas  in services list  in network connections Abnormality: function, performance, traffic patterns Cross-check with multiple tools

15 Microsoft Tools Basic Prevent: Windows Update, Time Service, Routing and Remote Access, LocalService, NetworkService, Runas Inspect: net user/group/localgroup, Active Directory Users and Groups, Event Viewer, EventCombMT, systeminfo, auditpol, Security Configuration Manager Fix: Malicious Software Removal, Security Configuration Manager Network tools netstat -anob, nbtstat, ping, tracert, arp, netsh, ipconfig File dir /ah, dir /od, dir /tc, findstr, cacls Services net start/stop, sc, services.msc Process: tasklist, taskkill, schtasks

16 External Tools www.sysinternals.com  variety of Windows tools to monitor and analyze www.e-fense.com: Helix www.e-fense.com  Windows tools Windows Forensics Toolkit™ trusted commands RAM/disk imaging, password recovery tools some www.sysinternals.com toolswww.sysinternals.com  bootable to Knoppix with many file system tools www.rootkit.com

17 Advice For your systems:  Prevent: update, monitor, block, isolate, backup  Analyze: find vectors and payloads  Recover: off-network restore, re-install or re-image block vectors and/or payload effects before going on- network

18 References Windows Forensics and Incident Recovery, Harlan Carvey, Addison-Wesley 2005 Windows Forensic Analysis DVD Toolkit, Harlan Carvey, Syngress 2007 File System Forensic Analysis,Brian Carrier, Addison-Wesley 2005 Rootkits, Greg Hoglund and James Butler, Addison-Wesley 2006

Download ppt "Windows Forensics 24 Jan 2008 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator."

Similar presentations

Objectives Overview Define an operating system

Objectives Overview Define an operating system
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.

Securing. Agenda  Hard Drive Encryption  User Account Permissions  Root Level Access  Firewall Protection  Malware Protection.
Support for Windows 7 Chapter 2 Securing and Troubleshooting Windows 7.

Support for Windows 7 Chapter 2 Securing and Troubleshooting Windows 7.
Discovering Computers Fundamentals, Third Edition CGS 1000 Introduction to Computers and Technology Fall 2006.

Discovering Computers Fundamentals, Third Edition CGS 1000 Introduction to Computers and Technology Fall 2006.
Managing Your Network Environment © 2004 Cisco Systems, Inc. All rights reserved. Managing Cisco IOS Devices INTRO v2.0—9-1.

Managing Your Network Environment © 2004 Cisco Systems, Inc. All rights reserved. Managing Cisco IOS Devices INTRO v2.0—9-1.
Installing Windows XP Professional Using Attended Installation Slide 1 of 35Session 9 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

Installing Windows XP Professional Using Attended Installation Slide 1 of 35Session 9 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.
COEN 250 Computer Forensics Windows Life Analysis.

COEN 250 Computer Forensics Windows Life Analysis.
Professor Michael J. Losacco CIS 1110 – Using Computers Operating Systems & Utility Programs Chapter 7.

Professor Michael J. Losacco CIS 1110 – Using Computers Operating Systems & Utility Programs Chapter 7.
UW Security Policy and Implementation 26 Apr 2010 TINFO 340: Information Assurance Stephen Rondeau Institute of Technology Labs Administrator.

UW Security Policy and Implementation 26 Apr 2010 TINFO 340: Information Assurance Stephen Rondeau Institute of Technology Labs Administrator.
UW Information Systems Security Policy Stephen Rondeau Institute of Technology Computing Labs Administrator 18 Nov 2005.

UW Information Systems Security Policy Stephen Rondeau Institute of Technology Computing Labs Administrator 18 Nov 2005.
Windows Forensics 10 Apr 2007 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator.

Windows Forensics 10 Apr 2007 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator.
1 Operating Systems Ch. 14 - An Overview. Architecture of Computer Hardware and Systems Software Irv Englander, John Wiley, 2000 2 Bare Bones Computer.

1 Operating Systems Ch An Overview. Architecture of Computer Hardware and Systems Software Irv Englander, John Wiley, Bare Bones Computer.
Week:#14 Windows Recovery

Week:#14 Windows Recovery
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
MDOP 2010: Diagnostic and Recovery Toolset (DaRT) Speaker Fabrizio Grossi

MDOP 2010: Diagnostic and Recovery Toolset (DaRT) Speaker Fabrizio Grossi
Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.

Operating Systems Concepts 1. A Computer Model An operating system has to deal with the fact that a computer is made up of a CPU, random access memory.
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Similar presentations

Ads by Google