810 likes | 979 Views
COEN 250 Computer Forensics. Windows Life Analysis. Extracting Evidence from a Life System. Degrees of Volatility of Data. Gathering more volatile data versus Safer forensics procedures. Extracting Evidence from a Life System. Life Examination is done: To quickly access the situation
E N D
COEN 250 Computer Forensics Windows Life Analysis
Extracting Evidence from a Life System Degrees of Volatility of Data. • Gathering more volatile data versus • Safer forensics procedures.
Extracting Evidence from a Life System Life Examination is done: • To quickly access the situation • Confirmation of incident. • To retrieve volatile data • Such as network connections, running processes, etc.
Extracting Evidence from a Life System Initial response must not destroy potential evidence. • Use only trusted tools on a response toolkit. • Document results. • Notebook • Hard Drive of target system • Removable media connected to target drive • Other system using netcat or cryptcat
Extracting Evidence from a Life System • Plan investigation. • Evidence gathering differs according to incidence: • Unacceptable web-surfing. • Intellectual property rights theft. • Compromised system.
Extracting Evidence from a Life System • Response Toolkit • Collection of Trusted Tools. • Stored on removable media. • Floppies (write-protected) • CD • Thumbdrive (write-protected)
Response Toolkit • Determine the tools needed. • Create Toolkit. • Check dependencies on DLL and other files. Include those in toolkit. • Include a file authentication tool such as MD5.
Response Toolkit: cmd.exe Built-in command prompt should be included in the toolkit.
Response Toolkit • Tool Collection • System & Time • Logged on Users • Process Information • Network and Port Information
Response Toolkit: Time and date • Built-in: • date /t • time /t • Systeminfo.exe gives uptime with a lot of other details. • Perl: • print localtime(time) “\n”;
Response Toolkit • Logged on / remotely logged on users: • PsLoggedOn (see below) • Netusers from Somarsoft • Net session (native to windows) • rasusers (see below)
Response Toolkit rasusers • Which users have remote access privileges on the target system.
Response Toolkit PsLoggedOn
Response Toolkit • Process Information
Response Toolkit • Pulist (from resource kit) • PsList
Response Toolkit • ListDLL
Response Toolkit Handle gives all handles
Response Toolkit Tlist is part of the Microsoft debugging tools.
Response Toolkit • Cmdline from Diamond CS displays all processes with their arguments.
Response Toolkit PmDump dumps memory of a process.
Response Toolkit • dd for windows dumps the contents of main memory into a file.
Response Toolkit Clipboard contents can be dumped with a small perl script: use Win32::Clipboard; print Win32::Clipboard->Get(), "\n";
Response Toolkit • Doskey /history
Response Toolkit • SC.exe communicates with the NT Service Controller
Response Toolkit • Windows has “protected storage”. • Use PStoreView to access it.
Response Toolkit • PsService views services:
Response Toolkit • PsInfo contains interesting system data including the uptime
Resource Toolkit: kill • Get it from the Windows NT Resource Kit. • Terminates processes via process number.
Response Toolkit • Network and Port Information
Response Toolkit netstat • Enumerates all listening ports and all connections to those ports.
Response Toolkit Fport • Finds open TCP/IP and UDP ports and maps them to the owning application
Response Toolkit ipconfig
Response Toolkit • Promiscdetect • Figures out whether network card is in promiscuous mode.
Response Toolkit • psfile
Response Toolkit • openports
Recourse Toolkit: md5sum • Creates MD5 hashes for a file.
Resource Toolkit: PsLogList • Dumps the event log list.
Resource Toolkit: PsInfo Local System built.
Resource Toolkit • Analyzing files • String.exe • Bintext.exe • Dependency Walker • File Date Time Extractor for Windows Word • …
Preparing the Toolkit • Label the toolkit. • Check for dependencies with Filemon or ListDLL. • Lots of dependencies lots of MAC changes. • Lots of dependencies easy to run into a trojaned utility • Create an MD5 of the toolkit. • Write protect any floppies.
Storing Obtained Data • Save data on the hard drive of target. (Modifies System.) • Record data by hand. • Save data on removable media. • Includes USB storage. • Save data on a remote system with netcat or cryptcat.
Storing Obtained Data with netcat • Quick on, quick off target system. • Allows offline review. • Establish a netcat listener on the forensic workstation. Redirect into a file. • Establish a netcat funneler on the target system to the forensic workstation. • Cryptcat does the same, but protects against sniffing.