190 likes | 433 Views
10 Apr 2007 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator. Windows Forensics. Agenda. Forensics Background Operating Systems Review Select Windows Features Vectors and Payloads Forensics Process Forensics Tools Demonstration. Forensics Background.
E N D
10 Apr 2007 TCSS431: Network Security Stephen Rondeau Institute of Technology Lab Administrator Windows Forensics
Agenda • Forensics Background • Operating Systems Review • Select Windows Features • Vectors and Payloads • Forensics Process • Forensics Tools Demonstration
Forensics Background • Inspection of computer system for evidence of: • crime • unauthorized use • Evidence gathering/preservation techniques for admissibility in court of law • Consideration of suspect's level of expertise • Avoidance of data destruction or compromise
Operating System Review • What does an OS do?
Operating System Review • What does an OS do? • starts itself • low-level management of: • interrupts, time, memory, processes, devices (storage, communication, keyboard, display, etc.) • higher-level management of: • file system, users, user interface, apps • addresses issues of fairness, efficiency, data protection/access, workload balancing
Select Windows Features • Kernel vs. User Mode • Kernel features (architecture) • device drivers • installable file system • object security • Services
Computing Device input output Hub Computing Devices: Simplistic • Computing Device • takes some input • processes it • OS, services, applications • provides some output • Network • connects device • Data • ?
Computing Devices: Reality In Human K/M/touch,etc. Out Human A/V Data Scanner/GPS In/Out Data Storage Device, PC Card, Network, Printer, Etc.
Computing Devices: Connections • removable media • floppy,CD/DVD,flash,microdrive • PC Card • wired • serial/parallel,USB,Firewire,IDE,SCSI,twisted pair • wireless • radio (802.11, cellular, Bluetooth) • Infrared (IR) • Ultrasound
Vectors and Payloads • Vector: route used to gain entry to computer • via a device without human intervention • via an unsuspecting or willing person's actions • Payload: what is delivered via the vector • malicious code • may be multiple payloads • spyware, rootkits, keystroke loggers, bots, illegals software, spamming, etc.
Forensics Process • Assess • after permission is granted • determine how to approach affected system(s) • watch out for anti-forensics • how to stop computer processing? • Acquire • capture volatile data • copy hard drive • Analyze
Volatile Data • All of RAM, plus paging area • Logged on users • Processes (regular and services) • Process memory • Buffers • Clipboard • Network Information • Command history
Nonvolatile Data • Partitions • Files • hidden, streams • Registry Keys • Recycle Bin • Scheduled Tasks • User information • Logs
What to Look For • Know baseline system: what to expect of good system • Malware Footprint • in logs • on file system (changed dates/sizes) • in registry • in startup areas • in service list • in network connections • Abnormalcy – functionality, performance, traffic patterns • Cross-check with multiple tools
Microsoft Tools • Basic • Windows Update, Malicious Software Removal, Baseline Security Analyzer, Time Service, Routing and Remote Access, Event Viewer, EventCombMT, LocalService, NetworkService, Runas, systeminfo, auditpol • Network tools • netstat -anob, nbtstat, ping, tracert, arp, netsh, ipconfig • File • dir /ah, dir /od, dir /tc, findstr, cacls • Services • net start/stop, sc • Process: • tasklist, taskkill, schtasks
External Tools • antivirus • backup • www.sysinternals.com • RootKitRevealer, ProcessExplorer, WinObj, Autoruns • PSTools: pslist, psexec, psservice, psgetsid, etc. • www.e-fense.com: Helix • statically-linked tools, variety of other tools • Bart’s PE
References • Windows Forensics and Incident Recovery, Harlan Carvey, Addison-Wesley 2005 • Windows Forensic Analysis DVD Toolkit , Harlan Carvey, Syngress 2007 • File System Forensic Analysis,Brian Carrier, Addison-Wesley 2005 • Rootkits, Greg Hoglund and James Butler, Addison-Wesley 2006