300 likes | 414 Views
How'd They Find THAT? : Implementing the Microsoft Fundamental Computer Investigation Guide for Windows. Kai Axford, CISSP, MCSE Sr. Security Strategist Microsoft Corporation http://blogs.technet.com/kaiaxford. Agenda.
E N D
How'd They Find THAT?: Implementing the Microsoft Fundamental Computer Investigation Guide for Windows Kai Axford, CISSP, MCSE Sr. Security Strategist Microsoft Corporation http://blogs.technet.com/kaiaxford
Agenda The Problem: Investigating illegal / improper activity on your computers and networks The Guide: Four-step investigative process The Tools: Demos of Sysinternals, EnCase, and Forensic Toolkit The Other Tools: Anti-Forensics
A Growing Problem • Internet connectivity and technological advances are now part of landscape • Your computing resources may be exposedto improper or even criminal activities • Need best practices and tools for investigating illegal activity • Want to avoid exposing the organization to legal and financial risks
The Fundamental Computer Investigation Guide for Windows • Best practices and tools to conduct computer investigations of suspicious activity • Tested guidance about collecting, preserving, analyzing, and reporting on key data in investigation
Example Case • Ray Chow, Enterprise Systems Administrator of Woodgrove National Bank (WNB) • Believes information illegally obtained from HR file server • Needs to use sound investigative methods • Will report findings to upper management
The guide provides you with a 4-step Best Practices methodology for your investigation Assess the situation Acquire key data Analyze data Report results
Decide whether or not to involve law enforcement Step 1: Assess the Situation Assess the situation Should law enforcement be involved? • End internal investigation • Contact law enforcement • agency (see appendix) • Provide assistance Yes No Continue internal investigation
Step 1: Assess the Situation (cont’d.) Assess the situation • Meet with management and legal advisors • Collectively review policies and laws • Identify possible team members • Assess situation, business impact • Prepare to acquire evidence
Step 2: Acquire Key Data Acquire key data • Build toolkit, including Sysinternals and Windows tools • Collect evidence of access to HR files at server • Collect volatile evidence at client • Collect evidence of access to HR files at client • Consider data storage protection and archival
Step 3: Analyze Data • Analyze data obtained from server • Analyze data obtained from host Analyze data
Step 4: Report Results • Gather all background, documentation, notes • Identify data relevant to investigation • Identify facts that support conclusion • List evidence to be submitted in report • List conclusions • Based on above, create report Report results
Event Log Acquire key data • Use to document unauthorized file and folder access
AccessChk* Acquire key data • Shows what folder permissions a user has • Provides evidence that user has opportunity
PsLoggedOn* Acquire key data • Shows if a user is logged onto a computing resource
RootKit Revealer Acquire key data • Reveals rootkits, which take complete control of a computer and conceal their existence from standard diagnostic tools
PsExec Acquire key data • Allows investigator to remotely obtain information about a user’s computer - without tipping them off or installing any applications on the user’s computer
Sysinternals tool: DU* Acquire key data • Allows investigator to remotely examine the contents of user’s My Documents folder and any subfolders
Digital Forensics • First and foremost:Kai is not a lawyer. Always consult your local law enforcement agency and legal department first! • Digital forensics is SERIOUS BUSINESS • You can easily shoot yourself in the foot by doing it incorrectly • Get some in-depth training • …this is not in-depth training!!! (Nor is it legal advice. Be smart. The job you save may be your own.) I just want to spend a few minutes showing you somecommon forensic tools and how they can help
EnCase (Guidance Software, Inc.) • http://www.guidancesoftware.com • Very popular in private corporations • EnScript Macro Language allows for creation of powerful scripts and filters to automate tasks • Safely preview a disk before acquisition • Picture gallery shows thumbnails of all images • Virtually boot disk image using VMware to allow first-hand view of the system
Forensic Tool Kit (AccessData Corp.) • http://www.accessdata.com/ • Full indexed searches in addition to Regex searches • Preprocess of all files, which makes for faster searching • Data is categorized by type (document, image, email, archive, etc.) for easy sorting • Ability to rule out “common files” using the Known File Filter plug-in • Detection of encrypted/compressed files
Open Source Forensics Tools • The Sleuth Kit (TSK) and Autopsy • Written by Brian Carrier (www.sleuthkit.org) • TSK is command line; Autopsy provides GUI for TSK Runs on *nix platforms • Client server architecture allows multiple examiners to use one central server • Allows basic recovery of deleted data and searching • Lots of manual control to the investigator, but is light on the automation
Open Source Forensics Tools (cont’d.) • Helix (e-fense) • Customized Knoppix disk that is forensically safe • Includes improved versions of ‘dd’ • Terminal windows log everything for good documentation • Includes Sleuthkit, Autopsy, chkrootkit, and others • Includes tools that can be used on a live Windows machine, including precompiled binaries and live acquisition tools
demo The Tools
Anti-Forensics • Be Aware of activity in the Anti-Forensics area!! There are active efforts to produce tools to thwart your forensic investigation. • Metasploit’s Anti-Forensic Toolkit*, Defiler’s Toolkit, etc. • Timestomp • Transmogrify • Slacker • SAM juicer *Courtesy of Vinnie Liu at Metasploit Project. Stay Alert! Stay Alive!
Resources Security Minded – Kai’s Blog http://blogs.technet.com/kaiaxford Fundamental Computer Investigation Guide For Windows http://www.microsoft.com/technet/security/guidance/disasterrecovery/computer_investigation/default.mspx File System Forensic Analysis. Brian Carrier ISBN: 0-321-26817-2 Digital Evidence and Computer Crime. Eoghan Casey. ISBN: 012162885X Incident Response: Investigating Computer Crime. Kevin Mandia & Chris Prosise ISBN: 007222696X Hacking Exposed: Computer Forensics. Chris Davis, Aaron Phillip ISBN: 0072256753 “How Online Criminals Make Themselves Tough to Find, Near Impossible to Nab”. Berinato, Scott. May 2007. http://www.cio.com