1 / 37

Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology

Investigating Windows Systems. Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 chu@ist.psu.edu. Theory  Practice. Learning by Doing. Session Outline. Forensic Mindset Investigative Questions

gen
Download Presentation

Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Investigating Windows Systems Chao-Hsien Chu, Ph.D. College of Information Sciences and Technology The Pennsylvania State University University Park, PA 16802 chu@ist.psu.edu Theory  Practice Learning by Doing

  2. Session Outline • Forensic Mindset • Investigative Questions • Common File Systems Type • Investigating Windows Systems • Windows Registry • Investigative and Case Management Tools

  3. Learning Objectives At the end of this module you will be able to: • Describe the importance of the forensic mindset • Describe common investigative questions • Explain the basic steps in the forensic analysis process • Discuss the forensic importance of the Windows Registry • Demonstrate the case management functions of EnCASE and FTK

  4. Forensic Mindset • Digital Forensic Mindset – Condensed Definition: - Using your skills to determine what has occurred or, - What most likely occurred as opposed to what is possible - You do NOT work for anyone but the TRUTH! • The tools used are not nearly important as the person using them! • The examination should not occur in a vacuum. • Find out all you can about what is already known.

  5. Organizing the Investigation • Use your knowledge to examine the system to answer; could it have happened that way or not? • Don’t make it more complicated than it has to be – start with the obvious! • Examples: • Check for programs that will cause you aggravation – encryption (PGP, Magic Folders, File Vault, EFS, etc.) • http://www.iopus.com/guides/efs.htm

  6. Organizing the Investigation • MAC information – what was happening on the system during the time frame you are interested in? • What was being “written”, “changed” or “accessed”?

  7. Investigative Questions • One of most common questions is: Where on the Internet was it surfing. In absence of managed server logs. Use ?????? • A great product (LE or Corp Security only is IEHistory by Scott Ponder of Phillips Ponder Company) -http://www.phillipsponder.com/histviewer.htm

  8. Questions/Requests • Another very common request is to gather up the all the e-mails, including the deleted ones for the investigator to read. • As always, this is done on the image or with hardware write protect. • Any communication is usually requested and chat is being used more and more. • MSN Chat does not by default store it’s chat’s. Newer versions do! • AOL Instant Messenger. Encryption • Yahoo Messenger stores them on the local drive but they are encrypted. Any ideas how to get around this?

  9. Passwords & Encryption • #1 rule– if you don’t know the password, ask the person who does! • Are they lazy, is there an easily obtained password that is used in both circumstances. • Access Data software (Password Recovery/ Ultimate Tool Kit) • Is there a corporation that you can pay to have it done for you?

  10. Where Do We Start? • Verify integrity of image • MD5, SHA1 etc. • Recover deleted files & folders • Determine keyword list • What are you searching for • Determine time lines • What is the time zone setting of the suspect system • What time frame is of importance • Graphical representation is very useful

  11. Where Do We Start? • Examine directory tree • What looks out of place • Stego tools installed • Evidence Scrubbers • Perform keyword searches • Indexed • Slack & unallocated space

  12. Where Do We Start? • Search for relevant evidence types • Hash sets can be useful • Graphics • Spreadsheets • Hacking tools • Etc. • Look for the obvious first • When is enough enough??

  13. Common File System Types FAT (File Allocation Table): • FAT 16: DOS; Windows 3.X; Windows 95. • FAT 32: Windows 95 release 2, Windows 98, Windows Me, Windows 2000, Windows XP, Server 2003. • NTFS (New Technology File systems): Windows NT; Windows 2000; Window XP; Server 2003.

  14. FAT 16 • Use 16 bits in the file allocation table (FAT) • Two FAT (Primary and Backup) • Support up to 4GB of volume space • Maximum file size of 2GB • Support two partitions and 3 logical drives in the second partition. • Use 8.3 file naming convention • “/”, “\”, “[“, “]”, “|”, “<“, “>”, “+”, “=“, “;”, “*” and “?” are illegal or invalid characteristics

  15. NTFS • Long file name support • Ability to handle large storage devices • Built-in security controls • POSIX support. http://www.pcguide.com/ref/hdd/file/ntfs/otherPOSIX-c.html • Volume striping • File compression • Master file table (MFT)

  16. Investigating Windows Systems User/Systems/Data: (Intentionally) • User profiles • Program files • Temporary files (temp files) • Special application-level files. Internet history, e-mail. Artifacts: (Generated by the Systems) • Metadata • Windows system registry • Event logs or log files • Swap files • Printer spool • Recycle bin

  17. Windows Registry • A central hierarchical database to store information necessary to configure the system for one or more users, applications and hardware devices. • Replaces AUTOEXEC.BAT, CONFIG.SYS and INI files • First introduced in Windows 3.1 for storing OLE Settings (pre 1995). - http://en.wikipedia.org/wiki/ActiveX

  18. Windows Registry Wealth of investigative information • Registered Owner • Registered Organization • Shutdown Time • Recent DOCS • Most Recent Used (MRU) List • Typed URLs • Previous Devices Mounted • Software Installed

  19. Registry Tools • Registry Reader: Access Data • Encase • Windows • Regedit • Regedt32 • Freeware tools • Never work on the original • Make a copy

  20. Windows Registry There are five root keys: (HKCR) (HKCU) (HKLM) (HKU) (HKCC)

  21. Registry Architecture Two are “Master” keys: • HKEY_LOCAL_MACHINE Configuration data describing hardware and software installed on the computer • HKEY_USERS Configuration data for each user that logs into the computer HKLM HKU Master Keys

  22. Registry Architecture • HKEY_CLASSES_ROOT File Associations and OLE • HKEY_CURRENT_USER Currently logged on user • HKEY_CURRENT_CONFIG Current hardware profile Three are derived from “Master” keys

  23. HKEY_CLASSES_ROOT From HKLM\Software\Classes

  24. HKEY_CURRENT_USER From HKU\SID of current user

  25. HKEY_CURRENT_CONFIG HKLM\System\CurrentControlSet\Hardware Profiles\Current

  26. The Windows Registry Dial-up Accounts: • HKEY_CURRENT_USER\RemoteAccess\Addresses Dial-up Account Usernames: • HKEY_CURRENT_USER\RemoteAccess\Profile\[isp_name] • RegisteredOwner/Organization, Version, VersionNumber, ProductKey, ProductID, ProductName • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion MSN Messenger Info: • HKEY_CURRENT_USER\Identities\{string}\Software\Microsoft\MessengerService • HKEY_CURRENT_USER\Software\Microsoft\MessengerService

  27. The Windows Registry Outlook Express User Info (e-mail, newsgroups, etc): • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager\Accounts • HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Account Manager\Accounts\0000000x Internet Explorer History settings length: • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\URLHistory

  28. Automated Tools • Easier case management • Keyword searching includes slack\residue and other unallocated areas of disk space. • Ability to use hash sets of known system files to minimize keyword search times. • Ability to use hash sets to search for known files such as child porn, root kits or whatever you want to hash and find quickly. • Unicode and ANSI compatible • Unicode provides a unique number for every character, no matter what the platform, no matter what the program, no matter what the language. • Needed for foreign language support • Etc.

  29. Encase Forensic Tools • Supports “bit stream acquisitions” in three ways: • #1 – drive to drive in a DOS environment loading it’s own drive lock TSR. • #2 – drive to drive in a Windows environment using a hardware drive locker – “Fastbloc” or others.

  30. Encase Forensic Tools

  31. Encase Forensic Tools • #3 – computer via computer using a cross over network cable. Encase for Dos loaded from a diskette with write protect software on suspect’s computer, Encase for Windows on Forensic examiner’s computer.

  32. Forensic Toolkit: Access Data

  33. Forensic Toolkit

  34. Forensic Toolkit

  35. Summary • Computer Forensics is not a piece of software. • Forensic mindset is paramount • The windows registry is a treasure chest of forensics information • You will need several tools in your forensic tool box.

More Related